You don't (typically) :)
The thin client needs to authenticate to the proxy server and then the
proxy server would perform the SPNEGO authentication as itself to the
backend server (PQS).
One of the perks of using a proxy server like this is that you can use a
very simple authentication method to the proxy server (HTTP BASIC auth)
instead of SPNEGO (which is much more error-prone).
Assuming your situation hasn't changed, this would be some amount of
configuration of Apache Knox to authenticate to PQS and "impersonate"
you. This might be dependent on some Knox work (configuration, if
nothing else), maybe also on your patch from CALCITE-1539.
Shi Wang wrote:
Hi,
Normally if I use PQS thin client SPNEGO authentication, just need to
specify keytab and principal in the query string. But if before reaching
PQS, need to do Basic auth to a proxy server. How do I encapsulate both
the credential for Basic auth and the SPNEGO credential?
Best,
Shi
