That makes sense, Dilli. Support for the hadoop auth-cookie in there is probably a benefit and I don't believe that hadoop-auth pulls in any unwanted dependencies either - so it should be ideal.
We'll just keep this alternative in our back pocket just in case. :-) thanks! On Thu, Aug 29, 2013 at 1:58 PM, Dilli Arumugam <[email protected]>wrote: > Hi Larry, > > Hadoop Auth, http://hadoop.apache.org/docs/current/hadoop-auth/index.html, > already supports SPNego. > > It may be better to use that for Knox as well instead of adding another > dependency. > I would be exploring this as part of fixing > https://issues.apache.org/jira/browse/KNOX-25. > > If we hit a serious problem using Hadoop auth in Knox, we may want to > investigate http://spnego.sourceforge.net/index.html. > > > Thanks > Dilli > > > > On Thu, Aug 29, 2013 at 10:03 AM, larry mccay <[email protected]> > wrote: > > > All - > > > > I have been considering the use of the following project to add support > for > > SPNEGO authentication for REST clients to the Knox Gateway. > > > > http://spnego.sourceforge.net/index.html > > > > "However, if your organization uses java based web/application servers, > and > > you prefer Kerberos < > http://en.wikipedia.org/wiki/Kerberos_%28protocol%29 > > >/ > > SPNEGO <http://en.wikipedia.org/wiki/SPNEGO>instead of > > NTLM<http://en.wikipedia.org/wiki/NTLM> as > > the authentication protocol, and you would rather have a Java Servlet > > Filter<http://www.jcp.org/en/jsr/detail?id=53> (JSR-53) > > based implementation instead of a container specific authentication > > module<http://www.jcp.org/en/jsr/detail?id=196> (JSR-196), > > and you want SSO > > (no username/password prompt), then this project may be of some interest > to > > you." > > > > This may or may not buy us anything above and beyond how it is already > done > > within Hadoop. We would certainly need to make sure that it doesn't > somehow > > interfere with existing implementations. > > > > At any rate, the development of an authentication provider from this > would > > be really straight forward - the documentation spells out exactly what > our > > providerContributor would need to do in order to inject the filter. > > > > The usecases enabled with this provider would be: > > > > 1. Client authenticating to Gateway with SPNEGO and accessing > Pseudo/Simple > > Hadoop Cluster with identity asserted to cluster via user.name > > 2. Client authenticating to Gateway with SPNEGO and accessing kerberos > > secured Hadoop Cluster with Gateway authenticating to services and > identity > > asserted to cluster via trusted proxy user doAs > > > > Interested in opinions on whether we should consider this. > > Given a general feeling that we could use it we can file a JIRA to add > it. > > > > thanks, > > > > --larry > > > > -- > CONFIDENTIALITY NOTICE > NOTICE: This message is intended for the use of the individual or entity to > which it is addressed and may contain information that is confidential, > privileged and exempt from disclosure under applicable law. If the reader > of this message is not the intended recipient, you are hereby notified that > any printing, copying, dissemination, distribution, disclosure or > forwarding of this communication is strictly prohibited. If you have > received this communication in error, please contact the sender immediately > and delete it from your system. Thank You. >
