Need to sign in for those. Here is one you don't need to sign in to read.
https://msdn.microsoft.com/en-us/magazine/cc188757.aspx
On 1/23/15 1:33 PM, Eron Wright wrote:
Informational, no issue here.
To access Hadoop services on behalf of an authenticated
user, Knox authenticates with the service using the ‘knox’ user, but passes a
‘doAs’
parameter conveying the caller’s identity.
The service checks that ‘knox’ is a valid proxy user. Some services (like
WebHDFS) are themselves
proxies to other services, in which case a similar procedure occurs recursively.
It occurred to me that this procedure resembles the ‘protocol
transition’ Kerberos extension that Microsoft introduced years ago, known as
S4U. S4U is an alternative approach that
Knox could use to access Kerberos-secured services that don’t support a ‘doAs’
parameter. I dug up a few articles on the subject to
share with the group. Explanation -
https://technet.microsoft.com/en-us/library/cc738207(v=ws.10).aspxSpecification
- https://msdn.microsoft.com/en-us/library/cc246071.aspxMIT Kerberos support -
http://k5wiki.kerberos.org/wiki/Projects/Services4User
Enjoy,Eron Wright
--
CONFIDENTIALITY NOTICE
NOTICE: This message is intended for the use of the individual or entity to
which it is addressed and may contain information that is confidential,
privileged and exempt from disclosure under applicable law. If the reader
of this message is not the intended recipient, you are hereby notified that
any printing, copying, dissemination, distribution, disclosure or
forwarding of this communication is strictly prohibited. If you have
received this communication in error, please contact the sender immediately
and delete it from your system. Thank You.
