User impersonnation not working with ozone httpfs

[sinedTr]

Hello, I'm trying to make ozone httpfs work through apache knox. I'm getting this error message when testing with curl :

curl -k --negotiate -u : "https://knox-url.com/sandbox/main/webhdfs/v1/?op=LISTSTATUS" {"RemoteException":{"message":"User: knox/master4.local@REALM is not allowed to impersonate user01","exception":"AuthorizationException","javaClassName":"org.apache.hadoop.security.authorize.AuthorizationException"}}

I have these proxyuser settings in httpfs-site.xml :

<property><name>hadoop.proxyuser.knoxuser.hosts</name><value>*</value></property> <property><name>hadoop.proxyuser.knoxuser.groups</name><value>*</value></property>

The error message indicates the SPN was not converted to the user name with auth_to_local rules so I checked the auth_to_local rules and confirmed they are set :

curl -s --negotiate -u : "https://master2.local:14000/conf" | grep RULE <property><name>hadoop.security.auth_to_local</name><value>RULE:[1:$1@$0](knox@REALM)s/.*/knoxuser/ RULE:[2:$1@$0](knox@REALM)s/.*/knoxuser/ DEFAULT</value><final>false</final><source>core-site.xml</source></property>

ozone httpfs works fine when not going through knox.
Am I doing something wrong or could this be a bug ?

[jojochuang]

Not sure who can answer this -- @dombizita or @fapifta ?
Please note this is holiday week and the response may be delayed.

Also, try adding the proxyuser configurations in core-site.xml instead of httpfs-site.xml. Example:

ozone/hadoop-ozone/dist/src/main/compose/common/security.conf

Line 18 in 8651aa4

CORE-SITE.XML_hadoop.proxyuser.httpfs.hosts=*

[sinedTr]

Proxyuser confs are now in core-site.xml instead of httpfs-site.xml but the issue remains

[dombizita]

Hi @sinedTr, I tried this and I needed to add a config for the user which should be allowed to perform doAs operations: httpfs.proxyuser.USER.hosts and httpfs.proxyuser.USER.groups with respective values (I did it with *). It's not in our documentation sadly, we should add it, but we have it in the httpfs-default.xml here.

ozone/hadoop-ozone/httpfsgateway/src/main/resources/httpfs-default.xml

Lines 213 to 252 in b0236e1

	<!-- HttpFSServer proxy user Configuration -->
	<!--
	The following 2 properties within this comment are provided as an
	example to facilitate configuring HttpFS proxyusers.
	<property>
	<name>httpfs.proxyuser.#USER#.hosts</name>
	<value>*</value>
	<description>
	List of hosts the '#USER#' user is allowed to perform 'doAs'
	operations.
	The '#USER#' must be replaced with the username o the user who is
	allowed to perform 'doAs' operations.
	The value can be the '*' wildcard or a list of hostnames.
	For multiple users copy this property and replace the user name
	in the property name.
	</description>
	</property>
	<property>
	<name>httpfs.proxyuser.#USER#.groups</name>
	<value>*</value>
	<description>
	List of groups the '#USER#' user is allowed to impersonate users
	from to perform 'doAs' operations.
	The '#USER#' must be replaced with the username o the user who is
	allowed to perform 'doAs' operations.
	The value can be the '*' wildcard or a list of groups.
	For multiple users copy this property and replace the user name
	in the property name.
	</description>
	</property>
	-->

Please let me know if this solved the issue for you.

[sinedTr]

Hello @dombizita I added these lines in httpfs-site.xml. It's working now, thank you !

[jojochuang]

looks like a documentation gap. Opened https://issues.apache.org/jira/browse/HDDS-14352 to track the it.

[smengcl]

Thanks @dombizita . Thanks @jojochuang for filing a jira. I've asked Cursor to generate a doc diff according to the discussion thread here and it looks decent to me. ptal for any glaring issues #9596