[
https://issues.apache.org/jira/browse/KNOX-27?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13673916#comment-13673916
]
Larry McCay commented on KNOX-27:
---------------------------------
The patch appears to require a System property to determine whether or not to
set the doas parameter.
+ if
("true".equals(System.getProperty(GatewayConfig.HADOOP_KERBEROS_SECURED))) {
+ params.put(DOAS_PRINCIPAL_PARAM, al.toArray(a));
+ } else {
+ params.put(PRINCIPAL_PARAM, al.toArray(a));
+ }
I believe that setting a global like a system property will require identities
to be asserted with the doas across all clusters managed by the gateway.
Is this what we really want there?
I think that we need a config element for the pseudo identity assertion
provider that indicates that that particular cluster requires a doas.
> Access Kerberos secured Hadoop cluster via gateway using basic auth
> credentials
> -------------------------------------------------------------------------------
>
> Key: KNOX-27
> URL: https://issues.apache.org/jira/browse/KNOX-27
> Project: Apache Knox
> Issue Type: New Feature
> Components: Server
> Reporter: Kevin Minder
> Assignee: Dilli Arumugam
> Attachments: KNOX-27.patch, knox-with-secure-cluster.patch
>
>
> From BUG-4306
> The basic interactions flow might look like this.
> 1. Client requests HDFS resource via gateway
> 2. Gateway challenges with basic auth
> 3. Gateway authenticates with KDC and receives token
> 4. Gateway forwards original request to service
> 5. Service challenges with SPNEGO
> 6. Gateway provides token received from KDC
> 7. Service provides response including hadoop.auth cookie. This prevents
> subsequent KDC and SPNEGO interactions.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
