[
https://issues.apache.org/jira/browse/KNOX-27?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Dilli Arumugam updated KNOX-27:
-------------------------------
As a first phase of implementation, I am doing the following as of 05/28/13:
1. Client requests HDFS resource via gateway
2. Gateway establishes client identity using http basic, let us say the client
is identified as joe
3. Gateway makes a service request with parameter doas=joe
4. Service challenges Gateway with Negotiate for authentication
5. Gateway gets the knox->service ticket from KDC and presents a SPNego token
to the service
6. Service fullfils the operation and returns response.
7. Gateway forwards the response to the client
At this point, Gateway is not caching the service tickets or SPNego tokens.
So, for every request from the client. Gateway would get knox->service keberos
ticket from KDC and submit to service.
We would have to do more work and make some decisions on the designs to avoid
repeated KDC calls.
> Access Kerberos secured Hadoop cluster via gateway using basic auth
> credentials
> -------------------------------------------------------------------------------
>
> Key: KNOX-27
> URL: https://issues.apache.org/jira/browse/KNOX-27
> Project: Apache Knox
> Issue Type: New Feature
> Components: Server
> Reporter: Kevin Minder
> Assignee: Dilli Arumugam
>
> From BUG-4306
> The basic interactions flow might look like this.
> 1. Client requests HDFS resource via gateway
> 2. Gateway challenges with basic auth
> 3. Gateway authenticates with KDC and receives token
> 4. Gateway forwards original request to service
> 5. Service challenges with SPNEGO
> 6. Gateway provides token received from KDC
> 7. Service provides response including hadoop.auth cookie. This prevents
> subsequent KDC and SPNEGO interactions.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
