kenneth ho created FALCON-1026:
----------------------------------
Summary: Falcon UI to participate in SSO provided by Knox
Key: FALCON-1026
URL: https://issues.apache.org/jira/browse/FALCON-1026
Project: Falcon
Issue Type: Bug
Affects Versions: 0.6
Reporter: kenneth ho
Fix For: 0.6
Knox will provide SSO to Hadoop's Web UI. So once the user is authenticated to
one Hadoop Console (e.g Ambari Server or NN UI etc), navigating to another Web
UI (DN UI or Falcon UI) will not require the user to re-authenticate and their
identity from authentication against the first UI will be propagated to the
second UI.
In terms of Requirement
Knox will provide SSO server as a Knox feature
Knox server will provide Login Page
Knox team will provide authentication filter that will be a servlet filter
Component's team will insert/package authentication filter with the component.
Component Team will provide a logout link on their pages, the link will
re-direct to Knox server SSO for logout scenario.
The benefit of this feature:
1. SSO between Hadoop's Web UI - End user will need to authentication only once
& his identity is propagated between consoles
2. Knox will provide authentication based on various modern Authentication
scheme such as SAML(Dal), OAuth (Future), Multi-Factor Authentication, and
component teams get these integration with out any extra work needed.
What mechanisms are available in NameNode to handle browser identity? If spnego
is it, how would someone pass identity with that on a click? Any plans (or is
there current support) for OAuth?
Also assume that Ambari is wired-up to external LDAP to authentication so the
user authenticated in ambari is an LDAP user and that the identity is in LDAP."
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
