Ahh I see, LDAP was the use case that was on the top of my head. I updated the KIP to reflect the changes.
Thanks! On Thu, Feb 22, 2024 at 7:29 PM larry mccay <lmc...@apache.org> wrote: > I think my point was that line of sight isn't necessarily required. > For LDAP based authentication, I suppose it is. > > But for many SSO based flows it is not, as the browser is typically > redirected and therefore would need line of sight but Knox wouldn't care > until it redirected back with a cookie or the like. > There are also cases where Knox will authenticate tokens (JWTs, passcode, > etc) locally and not rely on other services or redirects, etc. > > So, it isn't necessarily an assumption for the entire feature but may be > required for things like LDAP. > > > On Mon, Feb 12, 2024 at 7:56 PM Sandeep Moré <moresand...@gmail.com> > wrote: > > > Thanks Larry! > > My numbering got messed up, I fixed it now! Good catch on the external > IdP, > > I changed the wording to "Knox needs to have a clear line of sight to the > > IdP." The previous choice of words was confusing. > > Thank you for taking a look and looking forward to your feedback. > > > > > > On Mon, Feb 12, 2024 at 7:30 PM larry mccay <lmc...@apache.org> wrote: > > > > > Very interesting, @Sandeep More <moresand...@gmail.com> - thank you > for > > > this! > > > > > > Looks like there is a missing UC2. > > > I also note a comment that a clear line of sight is required - I may > need > > > more information on that but need to read it greater detail. > > > Look forward to reading it closely! > > > > > > thanks > > > > > > --larry > > > > > > On Fri, Feb 9, 2024 at 3:39 PM Sandeep Moré <moresand...@gmail.com> > > wrote: > > > > > > > Hello Folks, > > > > With workloads moving towards Kubernetes we should think about using > > Knox > > > > for authentication and authorization in Kubernetes. > > > > > > > > I created a design document (KIP) which includes design and usecases > I > > > can > > > > think of: > > > > > > > > > > > > > > https://cwiki.apache.org/confluence/display/KNOX/KIP-16+Knox+as+External+Authorizer+in+Kubernetes > > > > > > > > I would love to know your thoughts, comments and critiques on this. > > > > > > > > Best, > > > > Sandeep > > > > > > > > > >
