[jira] [Commented] (KNOX-1834) I wish that Knox passed signed JWTs to backend services

Mon, 25 Mar 2019 15:37:29 -0700 


    [ 
https://issues.apache.org/jira/browse/KNOX-1834?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16801202#comment-16801202
 ] 

Larry McCay commented on KNOX-1834:
-----------------------------------

Hi John - thank you for the "wish" :).

It is certainly a decent way to do the same but it doesn't align with what 
proxyuser's do in the Hadoop ecosystem.

You should also be aware that user.name is what is used by default in unsecured 
clusters for those services that support Simple or Pseudo authentication. The 
real proxyuser implementation uses a doAs query param along with kerberos for 
strong authentication between Knox and the backend service. So Knox 
authenticates via kerberos and asserts the identity of the authenticated user 
via doAs. This is a Hadoop pattern and feature and existed before Knox.

Do you have a specific backend service that you would rather do it this way for?

If so, this is certainly possible but you would need a couple things:
 # A service definition for your custom service
 # A custom dispatch to be added to your ext jar or contributed to Apache Knox 
if generic enough
 # You can use the built in Token Authority Service in Knox but we would need 
to extend that to add groups as claims. This is something that we have avoided 
so far as the token can live for a period of time that exceeds the user's 
membership to a given group and the lookups are better down closer to and at 
the time of the actual resource access.

 

> I wish that Knox passed signed JWTs to backend services
> -------------------------------------------------------
>
>                 Key: KNOX-1834
>                 URL: https://issues.apache.org/jira/browse/KNOX-1834
>             Project: Apache Knox
>          Issue Type: Wish
>            Reporter: John Ruiz
>            Priority: Major
>
> My understanding based on reading the User's Guide is that Knox will assert 
> the authenticated user/client to a backend REST API by adding user.name to 
> the query or form parameters sent to the backend service.
> I wish that I could configure Knox to instead assert the authenticated user 
> via a signed JWT in the Authentication header sent to the backend service.
> In this way, I would be able to receive asserted groups that were 'looked up' 
> when the user /client authenticated to Knox.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to