Larry McCay created KNOX-761:

             Summary: KnoxSSO Needs to Support Multi-tenant Usecases
                 Key: KNOX-761
             Project: Apache Knox
          Issue Type: Bug
          Components: Server
            Reporter: Larry McCay
             Fix For: 0.10.0

In a deployment that separates tenant access to Hadoop resources through 
dedicated topologies with tenant specific authentication, there are a couple 

* pac4j provider seems to be caching config settings in a singleton which makes 
the redirect url nondeterministic.
* knoxsso cookie would be trusted across tenant specific topologies which could 
lead to unauthorized access to resources that belongs to another tenant

The use of tenant specific audience claims within the JWT token could be used 
to mitigate the cross tenant trust issue.

We need to investigate the pac4j provider issue with the singleton config.

This message was sent by Atlassian JIRA

Reply via email to