[
https://issues.apache.org/jira/browse/CALCITE-4152?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17254375#comment-17254375
]
Josh Elser commented on CALCITE-4152:
-------------------------------------
Looking at this for fun, the general wag at what Hadoop is doing is this...
* After a successful SPNEGO auth'n, they send a SetCookie header back to the
client
* The cookie looks something like {{Set-Cookie:
hadoop.auth="u=guest&p=guest/c6401.ambari.apache....@example.com&t=kerberos&e=1487947765114&s=fNpq9FYy2DA19Rah7586rgsAieI=";
Path=gateway/default; Domain=ambari.apache.org; Secure; HttpOnly}}
* The token data is "username", (kerberos) "principal", authentication type,
expiration time
* This token data is signed with HmacSHA256 and that's included as
"{{fNpq9FYy2DA19Rah7586rgsAieI="}}
* The signature is used when the token is passed back to the server to
validate that the token itself wasn't changed (e.g. user doesn't modify it and
say they're someone else)
* If the user doesn't provide the token (via the cookie), spnego authn happens
normally. When spnego authn succeeds, it sets a new cookie
* If the user provides the token (via the cookie) and the token is valid (the
signature matches), then user is marked as "authenticated" (as the user who is
specified in that auth token).
I think I can break this up into a couple of steps:
# Show that we can bypass spnego successfully with a cookie that just has
basic info. Will have to add indirection in AbstractAvaticaHandler to not pull
the user directly from the HttpServletRequest. Update the client, maybe (the
http client we use may automatically pass it along)?
# Make the plan cookie data into a protobuf or other serializable data
structure
# Add signing of the cookie data
# Add expiration of the auth cookie
> Avoid SPNEGO re-negotiation for each request
> --------------------------------------------
>
> Key: CALCITE-4152
> URL: https://issues.apache.org/jira/browse/CALCITE-4152
> Project: Calcite
> Issue Type: Improvement
> Components: avatica
> Reporter: Istvan Toth
> Priority: Major
>
> When using SPNEGO authentication with Avatica, every HTTP request
> re-initiates the negotiation, doubling the number HTTP requests.
> Consider switching to cookies after the initial SPNEGO authentication
> succeeds.
> Jetty ticket that discusses the issue:
> [https://github.com/eclipse/jetty.project/issues/2868]
> Description of the Knox implementation
> [https://cwiki.apache.org/confluence/display/KNOX/2017/02/24/Hadoop+Auth+%28SPNEGO+and+delegation+token+based+authentication%29+with+Apache+Knox]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
