[
https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16846470#comment-16846470
]
Bolke de Bruin commented on ATLAS-3153:
---------------------------------------
[~srikvenk] I have already included documentation in the PR (twiki) that
describes this. Do you want me to extend that?
We don't use Azure but the keycloak client should work with any oauth provider
or (preferred) OpenID Connect (a layer on top of oauth). Azure supports both so
with proper configuration in keycloak.json and maybe a mapper defined in
Azure's service definition this should 'just' work. AuthN/Z are then both
supported. If you disable Hadoop's UGI integration as documented you have
roles/groups (exclusive this is a limitation of atlas at the moment not of
keycloak/OpenID)
> Support OpenID Connect directly rather than through Knox
> --------------------------------------------------------
>
> Key: ATLAS-3153
> URL: https://issues.apache.org/jira/browse/ATLAS-3153
> Project: Atlas
> Issue Type: Improvement
> Affects Versions: 2.0.0
> Reporter: Bolke de Bruin
> Priority: Major
> Time Spent: 20m
> Remaining Estimate: 0h
>
> The current SSO implementation with Apache Knox is limiting SSO
> interoperability to Apache Knox. Knox uses JWT verification which could
> easily be extended to allow for direct OpenID Connect support and doesn't
> require organizations to deploy Knox.
> Required changes:
> * Pickup bearer token from headers
> * Improve and standardize redirecting
> * Optionally: obtain certificates from well_known uri
> * Optionally: obtain user groups from userinfo endpoint rather than UGI
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
