Larry McCay created KNOX-761:
--------------------------------
Summary: KnoxSSO Needs to Support Multi-tenant Usecases
Key: KNOX-761
URL: https://issues.apache.org/jira/browse/KNOX-761
Project: Apache Knox
Issue Type: Bug
Components: Server
Reporter: Larry McCay
Fix For: 0.10.0
In a deployment that separates tenant access to Hadoop resources through
dedicated topologies with tenant specific authentication, there are a couple
issues:
* pac4j provider seems to be caching config settings in a singleton which makes
the redirect url nondeterministic.
* knoxsso cookie would be trusted across tenant specific topologies which could
lead to unauthorized access to resources that belongs to another tenant
The use of tenant specific audience claims within the JWT token could be used
to mitigate the cross tenant trust issue.
We need to investigate the pac4j provider issue with the singleton config.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
