Okay - glad that it is planned. We'll need to drill down into the challenges of multiple kerberos protected clusters a bit more there is likely a way to make that work. Perhaps with a custom configuration manager for JAAS or the like.
HSSO roadmap is not entirely clear. It has been suggested that a single HSSO instance may need to handle multiple clusters for SSO across clusters. We will have to evaluate the tradeoffs between that approach and a trust relationship between HSSO instances across clusters. On Tue, Jun 4, 2013 at 12:47 AM, Dilli Arumugam <[email protected]>wrote: > Larry, > > Work on eliminating the dependency on system property for determining > whether do pass doas parameter is planned. Kevin also pointed the need > for this. > > At the same time, one Gateway supporting multiple clusters with each > cluster having its own KDC would be challenging. Kerberos JAAS config > properties have to be set globally at JDK level of Gateway. > > As I understand HSSO roadmap also requires one Gateway per cluster. > > We could discuss this over chat or phone to get better clarification. > > Thanks > Dilli > > > > > > On Mon, Jun 3, 2013 at 6:32 PM, Larry McCay (JIRA) <[email protected]> > wrote: > > > > [ > https://issues.apache.org/jira/browse/KNOX-27?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13673916#comment-13673916] > > > > Larry McCay commented on KNOX-27: > > --------------------------------- > > > > The patch appears to require a System property to determine whether or > not to set the doas parameter. > > + if > ("true".equals(System.getProperty(GatewayConfig.HADOOP_KERBEROS_SECURED))) { > > + params.put(DOAS_PRINCIPAL_PARAM, al.toArray(a)); > > + } else { > > + params.put(PRINCIPAL_PARAM, al.toArray(a)); > > + } > > > > I believe that setting a global like a system property will require > identities to be asserted with the doas across all clusters managed by the > gateway. > > Is this what we really want there? > > > > I think that we need a config element for the pseudo identity assertion > provider that indicates that that particular cluster requires a doas. > > > >> Access Kerberos secured Hadoop cluster via gateway using basic auth > credentials > >> > ------------------------------------------------------------------------------- > >> > >> Key: KNOX-27 > >> URL: https://issues.apache.org/jira/browse/KNOX-27 > >> Project: Apache Knox > >> Issue Type: New Feature > >> Components: Server > >> Reporter: Kevin Minder > >> Assignee: Dilli Arumugam > >> Attachments: KNOX-27.patch, knox-with-secure-cluster.patch > >> > >> > >> From BUG-4306 > >> The basic interactions flow might look like this. > >> 1. Client requests HDFS resource via gateway > >> 2. Gateway challenges with basic auth > >> 3. Gateway authenticates with KDC and receives token > >> 4. Gateway forwards original request to service > >> 5. Service challenges with SPNEGO > >> 6. Gateway provides token received from KDC > >> 7. Service provides response including hadoop.auth cookie. This > prevents subsequent KDC and SPNEGO interactions. > > > > -- > > This message is automatically generated by JIRA. > > If you think it was sent incorrectly, please contact your JIRA > administrators > > For more information on JIRA, see: > http://www.atlassian.com/software/jira >
