Created 01-19-2017 01:28 PM
What does it mean if the gateway-audit.log does not show a value for the PROXY_USER_NAME audit log field when I make a successful REST API call to Knox/webhdfs? I am assuming there should always be a value in the log for the effective user (PROXY_USER_NAME)? [1]
Log file example:
17/01/19 10:44:09 ||8945e8d7-eb49-45da-93c4-43d47ccdc3fb|audit|WEBHDFS|guest|||authentication|uri|/gateway/default/webhdfs/v1/?op=LISTSTATUS|success|Groups: [] 17/01/19 10:44:09 ||8945e8d7-eb49-45da-93c4-43d47ccdc3fb|audit|WEBHDFS|guest|||authorization|uri|/gateway/default/webhdfs/v1/?op=LISTSTATUS|success| 17/01/19 10:44:09 ||8945e8d7-eb49-45da-93c4-43d47ccdc3fb|audit|WEBHDFS|guest|||dispatch|uri|http://namenode:50070/webhdfs/v1/?user.name=guest&op=LISTSTATUS|success|Response status: 200 17/01/19 10:44:09 ||8945e8d7-eb49-45da-93c4-43d47ccdc3fb|audit|WEBHDFS|guest|||access|uri|/gateway/default/webhdfs/v1/?op=LISTSTATUS|success|Response status: 200
Created 01-19-2017 05:08 PM
The PROXY_USER_NAME is actually poorly named. This value is only populated if principal mapping within identity assertion is done to map the authenticated user to another username to proxy to the backend service. It should probably be called MAPPED_USER or something like that. See: http://knox.apache.org/books/knox-0-11-0/user-guide.html#Audit
Created 01-19-2017 05:08 PM
The PROXY_USER_NAME is actually poorly named. This value is only populated if principal mapping within identity assertion is done to map the authenticated user to another username to proxy to the backend service. It should probably be called MAPPED_USER or something like that. See: http://knox.apache.org/books/knox-0-11-0/user-guide.html#Audit
Created 01-19-2017 08:38 PM
Thank you for the quick response. matts