[jira] [Updated] (KNOX-25) Knox should support authentication using SPNEGO from browser

Sun, 27 Jul 2014 23:06:18 -0700 

     [ 
https://issues.apache.org/jira/browse/KNOX-25?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Dilli Arumugam updated KNOX-25:
-------------------------------

    Attachment: KNOX-25.patch

Attaching a topology file illustrating configuration that would allow 
authentication client of Knox using SPNepo. The client can be  a browser or 
curl commandline for example.

Topology file added:
gateway-release/home/templates/hadas.xml

Please pay attention to the authentication provider in topology

       <provider>
            <role>authentication</role>
            <name>HadoopAuth</name>
            <enabled>true</enabled>

            <param>
                <name>config.prefix</name>
                <value>hadoop.auth.config</value>
            </param>
            <param>
                <name>hadoop.auth.config.signature.secret</name>
                <value>78hdkjaka</value>
            </param>
            <param>
                <name>hadoop.auth.config.type</name>
                <value>kerberos</value>
            </param>
            <param>
                <name>hadoop.auth.config.simple.anonymous.allowed</name>
                <value>false</value> <!-- default: false -->
            </param>
            <param>
                <name>hadoop.auth.config.token.validity</name>
                <value>1800</value>
            </param>
            <param>
                <name>hadoop.auth.config.cookie.domain</name>
                <value>hdp.example.com</value>
            </param>
            <param>
                <name>hadoop.auth.config.cookie.path</name>
                <value>gateway/hada</value>
            </param>
            <param>
                <name>hadoop.auth.config.kerberos.principal</name>
                <value>HTTP/[email protected]</value>
            </param>
            <param>
                <name>hadoop.auth.config.kerberos.keytab</name>
                <value>/etc/knox/conf/knox.spnego.keytab</value>
            </param>
  <param>
                <name>hadoop.auth.config.kerberos.name.rules</name>
                <value>DEFAULT</value>
            </param>

        </provider>




> Knox should support authentication using SPNEGO from browser
> ------------------------------------------------------------
>
>                 Key: KNOX-25
>                 URL: https://issues.apache.org/jira/browse/KNOX-25
>             Project: Apache Knox
>          Issue Type: New Feature
>          Components: Server
>    Affects Versions: 0.2.0
>            Reporter: Kevin Minder
>            Assignee: Dilli Arumugam
>             Fix For: 0.5.0
>
>         Attachments: KNOX-25.patch
>
>
> From BUG-4304
> The basic interactions flow might look like this.
> 1. Client authenticates with KDC
> 2. Client requests HDFS resource via gateway
> 3. Gateway forwards original request to service
> 4. Service challenges with SPNEGO
> 5. Gateway returns challenge to client.
> 6. Client resends request with tokens
> 7. Gateway dispatches request and tokens to service.
> 8. Service provides response including hadoop.auth cookie. This prevents 
> subsequent KDC and SPNEGO interactions.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to