Dear experts, We are recently starting to adopt Knox as the principle component for equipping our data processing cluster a complete security layer.
In fact, the situation is, in our cluster, there are Apache components like Apache HBase, HDFS which play the role as our data processing backend. These components work perfectly with Kerberos authentication for Access Control. On the other hand, our frontend is using CAS for authenticating users (when accessing the data stored in our cluster). We just wonder (sorry if this turns out to a dumb question for you all) if it is possible for the following scenario? 1) User access to our web UI, inputting the username and password 2) The CAS authentication certificates that username and password, there will be a token stored in this session 3) We (somehow) convert this token into Kerberos token which will be passed to backend API when querying data. The main concern is about the step 3). The reason we think of this scenario is because we don't expect the users to login one more time to create a Kerberos token (for backend access). Do you think this is a reasonable authentication setup? And if YES, do you think is possible with the help from Knox API? Thank you in advance for your time and consideration. Best regards Tien Dat PHAN
