Hi Larry, Hadoop Auth, http://hadoop.apache.org/docs/current/hadoop-auth/index.html, already supports SPNego.
It may be better to use that for Knox as well instead of adding another dependency. I would be exploring this as part of fixing https://issues.apache.org/jira/browse/KNOX-25. If we hit a serious problem using Hadoop auth in Knox, we may want to investigate http://spnego.sourceforge.net/index.html. Thanks Dilli On Thu, Aug 29, 2013 at 10:03 AM, larry mccay <[email protected]> wrote: > All - > > I have been considering the use of the following project to add support for > SPNEGO authentication for REST clients to the Knox Gateway. > > http://spnego.sourceforge.net/index.html > > "However, if your organization uses java based web/application servers, and > you prefer Kerberos <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29 > >/ > SPNEGO <http://en.wikipedia.org/wiki/SPNEGO>instead of > NTLM<http://en.wikipedia.org/wiki/NTLM> as > the authentication protocol, and you would rather have a Java Servlet > Filter<http://www.jcp.org/en/jsr/detail?id=53> (JSR-53) > based implementation instead of a container specific authentication > module<http://www.jcp.org/en/jsr/detail?id=196> (JSR-196), > and you want SSO > (no username/password prompt), then this project may be of some interest to > you." > > This may or may not buy us anything above and beyond how it is already done > within Hadoop. We would certainly need to make sure that it doesn't somehow > interfere with existing implementations. > > At any rate, the development of an authentication provider from this would > be really straight forward - the documentation spells out exactly what our > providerContributor would need to do in order to inject the filter. > > The usecases enabled with this provider would be: > > 1. Client authenticating to Gateway with SPNEGO and accessing Pseudo/Simple > Hadoop Cluster with identity asserted to cluster via user.name > 2. Client authenticating to Gateway with SPNEGO and accessing kerberos > secured Hadoop Cluster with Gateway authenticating to services and identity > asserted to cluster via trusted proxy user doAs > > Interested in opinions on whether we should consider this. > Given a general feeling that we could use it we can file a JIRA to add it. > > thanks, > > --larry > -- CONFIDENTIALITY NOTICE NOTICE: This message is intended for the use of the individual or entity to which it is addressed and may contain information that is confidential, privileged and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any printing, copying, dissemination, distribution, disclosure or forwarding of this communication is strictly prohibited. If you have received this communication in error, please contact the sender immediately and delete it from your system. Thank You.
