[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox
[ https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16880585#comment-16880585 ] Nixon Rodrigues commented on ATLAS-3153: [~bolke], i have documented the mvn command to run test and error trace in following jira https://issues.apache.org/jira/browse/ATLAS-3317 > Support OpenID Connect directly rather than through Knox > > > Key: ATLAS-3153 > URL: https://issues.apache.org/jira/browse/ATLAS-3153 > Project: Atlas > Issue Type: Improvement > Components: atlas-core, atlas-webui >Affects Versions: 2.0.0 >Reporter: Bolke de Bruin >Priority: Major > Labels: authentication, authorization > Fix For: 3.0.0 > > Attachments: 0001-ATLAS-3153-Add-keycloak-authentication.patch, > 0001-ATLAS-3153-Testcase-fix-due-to-Keycloak-authenticati.patch, > application.log, keycloak.json, openid_connect_atlas.md > > Time Spent: 40m > Remaining Estimate: 0h > > The current SSO implementation with Apache Knox is limiting SSO > interoperability to Apache Knox. Knox uses JWT verification which could > easily be extended to allow for direct OpenID Connect support and doesn't > require organizations to deploy Knox. > Required changes: > * Pickup bearer token from headers > * Improve and standardize redirecting > * Optionally: obtain certificates from well_known uri > * Optionally: obtain user groups from userinfo endpoint rather than UGI -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox
[ https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16880583#comment-16880583 ] Bolke de Bruin commented on ATLAS-3153: --- [~nixonrodrigues]can you share a bit more what is failing exactly? I assume IT is integration test? Can I reproduce the test somehow? > Support OpenID Connect directly rather than through Knox > > > Key: ATLAS-3153 > URL: https://issues.apache.org/jira/browse/ATLAS-3153 > Project: Atlas > Issue Type: Improvement > Components: atlas-core, atlas-webui >Affects Versions: 2.0.0 >Reporter: Bolke de Bruin >Priority: Major > Labels: authentication, authorization > Fix For: 3.0.0 > > Attachments: 0001-ATLAS-3153-Add-keycloak-authentication.patch, > 0001-ATLAS-3153-Testcase-fix-due-to-Keycloak-authenticati.patch, > application.log, keycloak.json, openid_connect_atlas.md > > Time Spent: 40m > Remaining Estimate: 0h > > The current SSO implementation with Apache Knox is limiting SSO > interoperability to Apache Knox. Knox uses JWT verification which could > easily be extended to allow for direct OpenID Connect support and doesn't > require organizations to deploy Knox. > Required changes: > * Pickup bearer token from headers > * Improve and standardize redirecting > * Optionally: obtain certificates from well_known uri > * Optionally: obtain user groups from userinfo endpoint rather than UGI -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox
[ https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16880578#comment-16880578 ] Nixon Rodrigues commented on ATLAS-3153: [~bolke], IT's are failing owing to commit of this patch. can please you look into this ? {noformat} [INFO] --- jetty-maven-plugin:9.3.14.v20161028:deploy-war (start-jetty) @ atlas-webapp --- [INFO] Logging initialized @220653ms [INFO] Configuring Jetty for project: Apache Atlas Web Application [INFO] Context path = / [INFO] Tmp directory = /home/jenkins/jenkins-slave/workspace/PreCommit-ATLAS-Build-Test@2/webapp/target/tmp [INFO] Web defaults = org/eclipse/jetty/webapp/webdefault.xml [INFO] Web overrides = none [INFO] jetty-9.3.14.v20161028 [INFO] Scanning elapsed time=67258ms [WARNING] Failed startup of context o.e.j.m.p.JettyWebAppContext@2eb2d10c{/, [file:///home/jenkins/jenkins-slave/workspace/PreCommit-ATLAS-Build-Test@2/webapp/target/atlas-webapp-3.0.0-SNAPSHOT/,UNAVAILABLE}\{/home/jenkins/jenkins-slave/workspace/PreCommit-ATLAS-Build-Test@2/webapp/target/atlas-webapp-3.0.0-SNAPSHOT.war}|file:///home/jenkins/jenkins-slave/workspace/PreCommit-ATLAS-Build-Test@2/webapp/target/atlas-webapp-3.0.0-SNAPSHOT/,UNAVAILABLE%7D%7B/home/jenkins/jenkins-slave/workspace/PreCommit-ATLAS-Build-Test@2/webapp/target/atlas-webapp-3.0.0-SNAPSHOT.war%7D] java.lang.Exception: Timeout scanning annotations at org.eclipse.jetty.annotations.AnnotationConfiguration.scanForAnnotations (AnnotationConfiguration.java:578) at org.eclipse.jetty.annotations.AnnotationConfiguration.configure (AnnotationConfiguration.java:447) at org.eclipse.jetty.webapp.WebAppContext.configure (WebAppContext.java:494) at org.eclipse.jetty.webapp.WebAppContext.startContext (WebAppContext.java:1361) at org.eclipse.jetty.server.handler.ContextHandler.doStart (ContextHandler.java:778) at org.eclipse.jetty.servlet.ServletContextHandler.doStart (ServletContextHandler.java:262) at org.eclipse.jetty.webapp.WebAppContext.doStart (WebAppContext.java:520) at org.eclipse.jetty.maven.plugin.JettyWebAppContext.doStart (JettyWebAppContext.java:398) at org.eclipse.jetty.util.component.AbstractLifeCycle.start (AbstractLifeCycle.java:68) at org.eclipse.jetty.util.component.ContainerLifeCycle.start (ContainerLifeCycle.java:131) at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart (ContainerLifeCycle.java:113) at org.eclipse.jetty.server.handler.AbstractHandler.doStart (AbstractHandler.java:61) at org.eclipse.jetty.server.handler.ContextHandlerCollection.doStart (ContextHandlerCollection.java:161) at org.eclipse.jetty.util.component.AbstractLifeCycle.start (AbstractLifeCycle.java:68) at org.eclipse.jetty.util.component.ContainerLifeCycle.start (ContainerLifeCycle.java:131) at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart (ContainerLifeCycle.java:113) at org.eclipse.jetty.server.handler.AbstractHandler.doStart (AbstractHandler.java:61) at org.eclipse.jetty.util.component.AbstractLifeCycle.start (AbstractLifeCycle.java:68) at org.eclipse.jetty.util.component.ContainerLifeCycle.start (ContainerLifeCycle.java:131) at org.eclipse.jetty.server.Server.start (Server.java:422) at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart (ContainerLifeCycle.java:105) at org.eclipse.jetty.server.handler.AbstractHandler.doStart (AbstractHandler.java:61) at org.eclipse.jetty.server.Server.doStart (Server.java:389) at org.eclipse.jetty.util.component.AbstractLifeCycle.start (AbstractLifeCycle.java:68) at org.eclipse.jetty.maven.plugin.AbstractJettyMojo.startJetty (AbstractJettyMojo.java:460) at org.eclipse.jetty.maven.plugin.AbstractJettyMojo.execute (AbstractJettyMojo.java:328) at org.eclipse.jetty.maven.plugin.JettyRunWarMojo.execute (JettyRunWarMojo.java:64) at org.eclipse.jetty.maven.plugin.JettyDeployWar.execute (JettyDeployWar.java:65) at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:210) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81) at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56) at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128) at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305) at org.apache.maven.DefaultMaven.doExecute
[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox
[ https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16879541#comment-16879541 ] ASF subversion and git services commented on ATLAS-3153: Commit fd2544978658fbb8c1ee1164b286727af28770e5 in atlas's branch refs/heads/branch-2.0 from Bolke de Bruin [ https://gitbox.apache.org/repos/asf?p=atlas.git;h=fd25449 ] ATLAS-3153 :- Add Keycloak authentication method to Atlas. Keycloak is an open source Identity and Access Management solution aimed at modern applications and services. It makes it easy to secure applications and services with little to no code. This enabled Atlas to use OpenID Connect (OAUTH2) and allows integration with more services. Signed-off-by: nixonrodrigues (cherry picked from commit 645bc94e59969d08b81e7af7a5a2db78207ab3fe) > Support OpenID Connect directly rather than through Knox > > > Key: ATLAS-3153 > URL: https://issues.apache.org/jira/browse/ATLAS-3153 > Project: Atlas > Issue Type: Improvement > Components: atlas-core, atlas-webui >Affects Versions: 2.0.0 >Reporter: Bolke de Bruin >Priority: Major > Labels: authentication, authorization > Fix For: 3.0.0 > > Attachments: 0001-ATLAS-3153-Add-keycloak-authentication.patch, > 0001-ATLAS-3153-Testcase-fix-due-to-Keycloak-authenticati.patch, > application.log, keycloak.json, openid_connect_atlas.md > > Time Spent: 40m > Remaining Estimate: 0h > > The current SSO implementation with Apache Knox is limiting SSO > interoperability to Apache Knox. Knox uses JWT verification which could > easily be extended to allow for direct OpenID Connect support and doesn't > require organizations to deploy Knox. > Required changes: > * Pickup bearer token from headers > * Improve and standardize redirecting > * Optionally: obtain certificates from well_known uri > * Optionally: obtain user groups from userinfo endpoint rather than UGI -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox
[ https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16879542#comment-16879542 ] ASF subversion and git services commented on ATLAS-3153: Commit 88ea258638d5dcb5911c6da406d3b136dab27ebc in atlas's branch refs/heads/branch-2.0 from Nixon Rodrigues [ https://gitbox.apache.org/repos/asf?p=atlas.git;h=88ea258 ] ATLAS-3153 : Testcase fix due to Keycloak authentication method commit. (cherry picked from commit e7071476aaba064d0967531cda6d9221f918db4e) > Support OpenID Connect directly rather than through Knox > > > Key: ATLAS-3153 > URL: https://issues.apache.org/jira/browse/ATLAS-3153 > Project: Atlas > Issue Type: Improvement > Components: atlas-core, atlas-webui >Affects Versions: 2.0.0 >Reporter: Bolke de Bruin >Priority: Major > Labels: authentication, authorization > Fix For: 3.0.0 > > Attachments: 0001-ATLAS-3153-Add-keycloak-authentication.patch, > 0001-ATLAS-3153-Testcase-fix-due-to-Keycloak-authenticati.patch, > application.log, keycloak.json, openid_connect_atlas.md > > Time Spent: 40m > Remaining Estimate: 0h > > The current SSO implementation with Apache Knox is limiting SSO > interoperability to Apache Knox. Knox uses JWT verification which could > easily be extended to allow for direct OpenID Connect support and doesn't > require organizations to deploy Knox. > Required changes: > * Pickup bearer token from headers > * Improve and standardize redirecting > * Optionally: obtain certificates from well_known uri > * Optionally: obtain user groups from userinfo endpoint rather than UGI -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox
[ https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16879110#comment-16879110 ] ASF subversion and git services commented on ATLAS-3153: Commit e7071476aaba064d0967531cda6d9221f918db4e in atlas's branch refs/heads/master from Nixon Rodrigues [ https://gitbox.apache.org/repos/asf?p=atlas.git;h=e707147 ] ATLAS-3153 : Testcase fix due to Keycloak authentication method commit. > Support OpenID Connect directly rather than through Knox > > > Key: ATLAS-3153 > URL: https://issues.apache.org/jira/browse/ATLAS-3153 > Project: Atlas > Issue Type: Improvement > Components: atlas-core, atlas-webui >Affects Versions: 2.0.0 >Reporter: Bolke de Bruin >Priority: Major > Labels: authentication, authorization > Fix For: 3.0.0 > > Attachments: 0001-ATLAS-3153-Add-keycloak-authentication.patch, > 0001-ATLAS-3153-Testcase-fix-due-to-Keycloak-authenticati.patch, > application.log, keycloak.json, openid_connect_atlas.md > > Time Spent: 40m > Remaining Estimate: 0h > > The current SSO implementation with Apache Knox is limiting SSO > interoperability to Apache Knox. Knox uses JWT verification which could > easily be extended to allow for direct OpenID Connect support and doesn't > require organizations to deploy Knox. > Required changes: > * Pickup bearer token from headers > * Improve and standardize redirecting > * Optionally: obtain certificates from well_known uri > * Optionally: obtain user groups from userinfo endpoint rather than UGI -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox
[ https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16878682#comment-16878682 ] ASF subversion and git services commented on ATLAS-3153: Commit 645bc94e59969d08b81e7af7a5a2db78207ab3fe in atlas's branch refs/heads/master from Bolke de Bruin [ https://gitbox.apache.org/repos/asf?p=atlas.git;h=645bc94 ] ATLAS-3153 :- Add Keycloak authentication method to Atlas. Keycloak is an open source Identity and Access Management solution aimed at modern applications and services. It makes it easy to secure applications and services with little to no code. This enabled Atlas to use OpenID Connect (OAUTH2) and allows integration with more services. Signed-off-by: nixonrodrigues > Support OpenID Connect directly rather than through Knox > > > Key: ATLAS-3153 > URL: https://issues.apache.org/jira/browse/ATLAS-3153 > Project: Atlas > Issue Type: Improvement > Components: atlas-core, atlas-webui >Affects Versions: 2.0.0 >Reporter: Bolke de Bruin >Priority: Major > Labels: authentication, authorization > Attachments: 0001-ATLAS-3153-Add-keycloak-authentication.patch, > application.log, keycloak.json, openid_connect_atlas.md > > Time Spent: 20m > Remaining Estimate: 0h > > The current SSO implementation with Apache Knox is limiting SSO > interoperability to Apache Knox. Knox uses JWT verification which could > easily be extended to allow for direct OpenID Connect support and doesn't > require organizations to deploy Knox. > Required changes: > * Pickup bearer token from headers > * Improve and standardize redirecting > * Optionally: obtain certificates from well_known uri > * Optionally: obtain user groups from userinfo endpoint rather than UGI -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox
[ https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16878540#comment-16878540 ] Nixon Rodrigues commented on ATLAS-3153: [~bolke], I am doing the final validation. The patch looks good, will merge it by EOD. > Support OpenID Connect directly rather than through Knox > > > Key: ATLAS-3153 > URL: https://issues.apache.org/jira/browse/ATLAS-3153 > Project: Atlas > Issue Type: Improvement > Components: atlas-core, atlas-webui >Affects Versions: 2.0.0 >Reporter: Bolke de Bruin >Priority: Major > Labels: authentication, authorization > Attachments: 0001-ATLAS-3153-Add-keycloak-authentication.patch, > application.log, keycloak.json, openid_connect_atlas.md > > Time Spent: 20m > Remaining Estimate: 0h > > The current SSO implementation with Apache Knox is limiting SSO > interoperability to Apache Knox. Knox uses JWT verification which could > easily be extended to allow for direct OpenID Connect support and doesn't > require organizations to deploy Knox. > Required changes: > * Pickup bearer token from headers > * Improve and standardize redirecting > * Optionally: obtain certificates from well_known uri > * Optionally: obtain user groups from userinfo endpoint rather than UGI -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox
[ https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16878538#comment-16878538 ] Bolke de Bruin commented on ATLAS-3153: --- [~saqeeb.shaikh136] can we have this merged please? > Support OpenID Connect directly rather than through Knox > > > Key: ATLAS-3153 > URL: https://issues.apache.org/jira/browse/ATLAS-3153 > Project: Atlas > Issue Type: Improvement > Components: atlas-core, atlas-webui >Affects Versions: 2.0.0 >Reporter: Bolke de Bruin >Priority: Major > Labels: authentication, authorization > Attachments: 0001-ATLAS-3153-Add-keycloak-authentication.patch, > application.log, keycloak.json, openid_connect_atlas.md > > Time Spent: 20m > Remaining Estimate: 0h > > The current SSO implementation with Apache Knox is limiting SSO > interoperability to Apache Knox. Knox uses JWT verification which could > easily be extended to allow for direct OpenID Connect support and doesn't > require organizations to deploy Knox. > Required changes: > * Pickup bearer token from headers > * Improve and standardize redirecting > * Optionally: obtain certificates from well_known uri > * Optionally: obtain user groups from userinfo endpoint rather than UGI -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox
[ https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16875578#comment-16875578 ] Bolke de Bruin commented on ATLAS-3153: --- ping [~saqeeb.shaikh136] . I have created the first version for bridges, quickstart and exampkes, but it is dependent on this one. Also note that Knox does not have support in Atlas client side. > Support OpenID Connect directly rather than through Knox > > > Key: ATLAS-3153 > URL: https://issues.apache.org/jira/browse/ATLAS-3153 > Project: Atlas > Issue Type: Improvement > Components: atlas-core, atlas-webui >Affects Versions: 2.0.0 >Reporter: Bolke de Bruin >Priority: Major > Labels: authentication, authorization > Attachments: 0001-ATLAS-3153-Add-keycloak-authentication.patch, > application.log, keycloak.json, openid_connect_atlas.md > > Time Spent: 20m > Remaining Estimate: 0h > > The current SSO implementation with Apache Knox is limiting SSO > interoperability to Apache Knox. Knox uses JWT verification which could > easily be extended to allow for direct OpenID Connect support and doesn't > require organizations to deploy Knox. > Required changes: > * Pickup bearer token from headers > * Improve and standardize redirecting > * Optionally: obtain certificates from well_known uri > * Optionally: obtain user groups from userinfo endpoint rather than UGI -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox
[ https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16873590#comment-16873590 ] Bolke de Bruin commented on ATLAS-3153: --- [~saqeeb.shaikh136] I have created ATLAS-3309 to track this. Can this now be merged? > Support OpenID Connect directly rather than through Knox > > > Key: ATLAS-3153 > URL: https://issues.apache.org/jira/browse/ATLAS-3153 > Project: Atlas > Issue Type: Improvement > Components: atlas-core, atlas-webui >Affects Versions: 2.0.0 >Reporter: Bolke de Bruin >Priority: Major > Labels: authentication, authorization > Attachments: 0001-ATLAS-3153-Add-keycloak-authentication.patch, > application.log, keycloak.json, openid_connect_atlas.md > > Time Spent: 20m > Remaining Estimate: 0h > > The current SSO implementation with Apache Knox is limiting SSO > interoperability to Apache Knox. Knox uses JWT verification which could > easily be extended to allow for direct OpenID Connect support and doesn't > require organizations to deploy Knox. > Required changes: > * Pickup bearer token from headers > * Improve and standardize redirecting > * Optionally: obtain certificates from well_known uri > * Optionally: obtain user groups from userinfo endpoint rather than UGI -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox
[ https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16872968#comment-16872968 ] Saqeeb Shaikh commented on ATLAS-3153: -- [~bolke] tracking import hive and quick start under a separate Jira sounds good to me. We can get started on that. > Support OpenID Connect directly rather than through Knox > > > Key: ATLAS-3153 > URL: https://issues.apache.org/jira/browse/ATLAS-3153 > Project: Atlas > Issue Type: Improvement > Components: atlas-core, atlas-webui >Affects Versions: 2.0.0 >Reporter: Bolke de Bruin >Priority: Major > Labels: authentication, authorization > Attachments: 0001-ATLAS-3153-Add-keycloak-authentication.patch, > application.log, keycloak.json, openid_connect_atlas.md > > Time Spent: 20m > Remaining Estimate: 0h > > The current SSO implementation with Apache Knox is limiting SSO > interoperability to Apache Knox. Knox uses JWT verification which could > easily be extended to allow for direct OpenID Connect support and doesn't > require organizations to deploy Knox. > Required changes: > * Pickup bearer token from headers > * Improve and standardize redirecting > * Optionally: obtain certificates from well_known uri > * Optionally: obtain user groups from userinfo endpoint rather than UGI -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox
[ https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16872629#comment-16872629 ] Bolke de Bruin commented on ATLAS-3153: --- [~saqeeb.shaikh136] both would need changes. Can I suggest doing that outside of this PR? I’m happy to do so, but it seem not the ‘same unit’ of work. > Support OpenID Connect directly rather than through Knox > > > Key: ATLAS-3153 > URL: https://issues.apache.org/jira/browse/ATLAS-3153 > Project: Atlas > Issue Type: Improvement > Components: atlas-core, atlas-webui >Affects Versions: 2.0.0 >Reporter: Bolke de Bruin >Priority: Major > Labels: authentication, authorization > Attachments: 0001-ATLAS-3153-Add-keycloak-authentication.patch, > application.log, keycloak.json, openid_connect_atlas.md > > Time Spent: 20m > Remaining Estimate: 0h > > The current SSO implementation with Apache Knox is limiting SSO > interoperability to Apache Knox. Knox uses JWT verification which could > easily be extended to allow for direct OpenID Connect support and doesn't > require organizations to deploy Knox. > Required changes: > * Pickup bearer token from headers > * Improve and standardize redirecting > * Optionally: obtain certificates from well_known uri > * Optionally: obtain user groups from userinfo endpoint rather than UGI -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox
[ https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16871223#comment-16871223 ] Saqeeb Shaikh commented on ATLAS-3153: -- [~bolke] I was able to successfully login into Atlas through Keycloak on kerberized cluster after disabling the kerberos config from Keycloak. Can you please check quick start and import hive scripts with keycloak authentication. > Support OpenID Connect directly rather than through Knox > > > Key: ATLAS-3153 > URL: https://issues.apache.org/jira/browse/ATLAS-3153 > Project: Atlas > Issue Type: Improvement > Components: atlas-core, atlas-webui >Affects Versions: 2.0.0 >Reporter: Bolke de Bruin >Priority: Major > Labels: authentication, authorization > Attachments: 0001-ATLAS-3153-Add-keycloak-authentication.patch, > application.log, keycloak.json, openid_connect_atlas.md > > Time Spent: 20m > Remaining Estimate: 0h > > The current SSO implementation with Apache Knox is limiting SSO > interoperability to Apache Knox. Knox uses JWT verification which could > easily be extended to allow for direct OpenID Connect support and doesn't > require organizations to deploy Knox. > Required changes: > * Pickup bearer token from headers > * Improve and standardize redirecting > * Optionally: obtain certificates from well_known uri > * Optionally: obtain user groups from userinfo endpoint rather than UGI -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox
[ https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16870629#comment-16870629 ] Bolke de Bruin commented on ATLAS-3153: --- After our discussion I verified: * MIT kdc, with Kerberized Atlas * HDP 3.1, FreeIPA, with Kerberized Atlas both are working fine (ie. client is redirected). > Support OpenID Connect directly rather than through Knox > > > Key: ATLAS-3153 > URL: https://issues.apache.org/jira/browse/ATLAS-3153 > Project: Atlas > Issue Type: Improvement > Components: atlas-core, atlas-webui >Affects Versions: 2.0.0 >Reporter: Bolke de Bruin >Priority: Major > Labels: authentication, authorization > Attachments: 0001-ATLAS-3153-Add-keycloak-authentication.patch, > application.log, keycloak.json, openid_connect_atlas.md > > Time Spent: 20m > Remaining Estimate: 0h > > The current SSO implementation with Apache Knox is limiting SSO > interoperability to Apache Knox. Knox uses JWT verification which could > easily be extended to allow for direct OpenID Connect support and doesn't > require organizations to deploy Knox. > Required changes: > * Pickup bearer token from headers > * Improve and standardize redirecting > * Optionally: obtain certificates from well_known uri > * Optionally: obtain user groups from userinfo endpoint rather than UGI -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox
[ https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16866719#comment-16866719 ] Bolke de Bruin commented on ATLAS-3153: --- Sure will do. We should have some overlap :) > Support OpenID Connect directly rather than through Knox > > > Key: ATLAS-3153 > URL: https://issues.apache.org/jira/browse/ATLAS-3153 > Project: Atlas > Issue Type: Improvement > Components: atlas-core, atlas-webui >Affects Versions: 2.0.0 >Reporter: Bolke de Bruin >Priority: Major > Labels: authentication, authorization > Attachments: 0001-ATLAS-3153-Add-keycloak-authentication.patch, > application.log, keycloak.json, openid_connect_atlas.md > > Time Spent: 20m > Remaining Estimate: 0h > > The current SSO implementation with Apache Knox is limiting SSO > interoperability to Apache Knox. Knox uses JWT verification which could > easily be extended to allow for direct OpenID Connect support and doesn't > require organizations to deploy Knox. > Required changes: > * Pickup bearer token from headers > * Improve and standardize redirecting > * Optionally: obtain certificates from well_known uri > * Optionally: obtain user groups from userinfo endpoint rather than UGI -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox
[ https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16866366#comment-16866366 ] Saqeeb Shaikh commented on ATLAS-3153: -- [~bolke], Can we have webx session to understand the issue and I can show the configs and logs on my setup. Please send me invite saqeeb.shaikh136 at gmail.com, I work in IST timezone and can be available from 9:00 IST to 21:30 IST. > Support OpenID Connect directly rather than through Knox > > > Key: ATLAS-3153 > URL: https://issues.apache.org/jira/browse/ATLAS-3153 > Project: Atlas > Issue Type: Improvement > Components: atlas-core, atlas-webui >Affects Versions: 2.0.0 >Reporter: Bolke de Bruin >Priority: Major > Labels: authentication, authorization > Attachments: 0001-ATLAS-3153-Add-keycloak-authentication.patch, > application.log, keycloak.json, openid_connect_atlas.md > > Time Spent: 20m > Remaining Estimate: 0h > > The current SSO implementation with Apache Knox is limiting SSO > interoperability to Apache Knox. Knox uses JWT verification which could > easily be extended to allow for direct OpenID Connect support and doesn't > require organizations to deploy Knox. > Required changes: > * Pickup bearer token from headers > * Improve and standardize redirecting > * Optionally: obtain certificates from well_known uri > * Optionally: obtain user groups from userinfo endpoint rather than UGI -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox
[ https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16864630#comment-16864630 ] Bolke de Bruin commented on ATLAS-3153: --- Ping [~saqeeb.shaikh136] ? I really need some more info in order to reproduce > Support OpenID Connect directly rather than through Knox > > > Key: ATLAS-3153 > URL: https://issues.apache.org/jira/browse/ATLAS-3153 > Project: Atlas > Issue Type: Improvement > Components: atlas-core, atlas-webui >Affects Versions: 2.0.0 >Reporter: Bolke de Bruin >Priority: Major > Labels: authentication, authorization > Attachments: 0001-ATLAS-3153-Add-keycloak-authentication.patch, > application.log, keycloak.json, openid_connect_atlas.md > > Time Spent: 20m > Remaining Estimate: 0h > > The current SSO implementation with Apache Knox is limiting SSO > interoperability to Apache Knox. Knox uses JWT verification which could > easily be extended to allow for direct OpenID Connect support and doesn't > require organizations to deploy Knox. > Required changes: > * Pickup bearer token from headers > * Improve and standardize redirecting > * Optionally: obtain certificates from well_known uri > * Optionally: obtain user groups from userinfo endpoint rather than UGI -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox
[ https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16859322#comment-16859322 ] Bolke de Bruin commented on ATLAS-3153: --- [~saqeeb.shaikh136] can you share a bit more on the flow you did and your configuration? Im having difficulty replicating the behavior I think you are describing.I have tested this with a manually configured KDC. I do see that while a Kerberos credential can be available a redirect still happens due to the fact the Keycloak's filters are earlier in the chain. This is equal to Knox integration (I have never used Knox, but its filter as also earlier in the chain) it seems. In short I can turn on Kerberos and Keycloak and Atlas will always use Keycloak. > Support OpenID Connect directly rather than through Knox > > > Key: ATLAS-3153 > URL: https://issues.apache.org/jira/browse/ATLAS-3153 > Project: Atlas > Issue Type: Improvement > Components: atlas-core, atlas-webui >Affects Versions: 2.0.0 >Reporter: Bolke de Bruin >Priority: Major > Labels: authentication, authorization > Attachments: 0001-ATLAS-3153-Add-keycloak-authentication.patch, > application.log, keycloak.json, openid_connect_atlas.md > > Time Spent: 20m > Remaining Estimate: 0h > > The current SSO implementation with Apache Knox is limiting SSO > interoperability to Apache Knox. Knox uses JWT verification which could > easily be extended to allow for direct OpenID Connect support and doesn't > require organizations to deploy Knox. > Required changes: > * Pickup bearer token from headers > * Improve and standardize redirecting > * Optionally: obtain certificates from well_known uri > * Optionally: obtain user groups from userinfo endpoint rather than UGI -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox
[ https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16855708#comment-16855708 ] Bolke de Bruin commented on ATLAS-3153: --- [~saqeeb.shaikh136] Let me verify. > Support OpenID Connect directly rather than through Knox > > > Key: ATLAS-3153 > URL: https://issues.apache.org/jira/browse/ATLAS-3153 > Project: Atlas > Issue Type: Improvement > Components: atlas-core, atlas-webui >Affects Versions: 2.0.0 >Reporter: Bolke de Bruin >Priority: Major > Labels: authentication, authorization > Attachments: 0001-ATLAS-3153-Add-keycloak-authentication.patch, > application.log, keycloak.json, openid_connect_atlas.md > > Time Spent: 20m > Remaining Estimate: 0h > > The current SSO implementation with Apache Knox is limiting SSO > interoperability to Apache Knox. Knox uses JWT verification which could > easily be extended to allow for direct OpenID Connect support and doesn't > require organizations to deploy Knox. > Required changes: > * Pickup bearer token from headers > * Improve and standardize redirecting > * Optionally: obtain certificates from well_known uri > * Optionally: obtain user groups from userinfo endpoint rather than UGI -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox
[ https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16855675#comment-16855675 ] Saqeeb Shaikh commented on ATLAS-3153: -- [~bolke], I tested the patch on HDP cluster with kerberos ON, encountered issues while forwarding the request to keycloak challenge page. The same setup on local (without kerberos ON) works well. Attached logs and keycloak.json. Can you please verify this setup on your end with kerberos ON. PFA [^keycloak.json] [^application.log] ^cc:[~madhan.neethiraj]^ > Support OpenID Connect directly rather than through Knox > > > Key: ATLAS-3153 > URL: https://issues.apache.org/jira/browse/ATLAS-3153 > Project: Atlas > Issue Type: Improvement > Components: atlas-core, atlas-webui >Affects Versions: 2.0.0 >Reporter: Bolke de Bruin >Priority: Major > Labels: authentication, authorization > Attachments: 0001-ATLAS-3153-Add-keycloak-authentication.patch, > application.log, keycloak.json, openid_connect_atlas.md > > Time Spent: 20m > Remaining Estimate: 0h > > The current SSO implementation with Apache Knox is limiting SSO > interoperability to Apache Knox. Knox uses JWT verification which could > easily be extended to allow for direct OpenID Connect support and doesn't > require organizations to deploy Knox. > Required changes: > * Pickup bearer token from headers > * Improve and standardize redirecting > * Optionally: obtain certificates from well_known uri > * Optionally: obtain user groups from userinfo endpoint rather than UGI -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox
[ https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16852947#comment-16852947 ] Bolke de Bruin commented on ATLAS-3153: --- Ping? Can this be mergel now? > Support OpenID Connect directly rather than through Knox > > > Key: ATLAS-3153 > URL: https://issues.apache.org/jira/browse/ATLAS-3153 > Project: Atlas > Issue Type: Improvement > Components: atlas-core, atlas-webui >Affects Versions: 2.0.0 >Reporter: Bolke de Bruin >Priority: Major > Labels: authentication, authorization > Attachments: 0001-ATLAS-3153-Add-keycloak-authentication.patch, > openid_connect_atlas.md > > Time Spent: 20m > Remaining Estimate: 0h > > The current SSO implementation with Apache Knox is limiting SSO > interoperability to Apache Knox. Knox uses JWT verification which could > easily be extended to allow for direct OpenID Connect support and doesn't > require organizations to deploy Knox. > Required changes: > * Pickup bearer token from headers > * Improve and standardize redirecting > * Optionally: obtain certificates from well_known uri > * Optionally: obtain user groups from userinfo endpoint rather than UGI -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox
[ https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16850144#comment-16850144 ] Bolke de Bruin commented on ATLAS-3153: --- [~sarath.ku...@gmail.com] I have added the file. Mostly copied from the PR with some additions. > Support OpenID Connect directly rather than through Knox > > > Key: ATLAS-3153 > URL: https://issues.apache.org/jira/browse/ATLAS-3153 > Project: Atlas > Issue Type: Improvement >Affects Versions: 2.0.0 >Reporter: Bolke de Bruin >Priority: Major > Attachments: openid_connect_atlas.md > > Time Spent: 20m > Remaining Estimate: 0h > > The current SSO implementation with Apache Knox is limiting SSO > interoperability to Apache Knox. Knox uses JWT verification which could > easily be extended to allow for direct OpenID Connect support and doesn't > require organizations to deploy Knox. > Required changes: > * Pickup bearer token from headers > * Improve and standardize redirecting > * Optionally: obtain certificates from well_known uri > * Optionally: obtain user groups from userinfo endpoint rather than UGI -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox
[ https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16850080#comment-16850080 ] Bolke de Bruin commented on ATLAS-3153: --- [~sarath.ku...@gmail.com] as mentioned this is already part of the PR? Isn’t the twiki used for this? > Support OpenID Connect directly rather than through Knox > > > Key: ATLAS-3153 > URL: https://issues.apache.org/jira/browse/ATLAS-3153 > Project: Atlas > Issue Type: Improvement >Affects Versions: 2.0.0 >Reporter: Bolke de Bruin >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > The current SSO implementation with Apache Knox is limiting SSO > interoperability to Apache Knox. Knox uses JWT verification which could > easily be extended to allow for direct OpenID Connect support and doesn't > require organizations to deploy Knox. > Required changes: > * Pickup bearer token from headers > * Improve and standardize redirecting > * Optionally: obtain certificates from well_known uri > * Optionally: obtain user groups from userinfo endpoint rather than UGI -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox
[ https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16850056#comment-16850056 ] Sarath Subramanian commented on ATLAS-3153: --- [~bolke], like Srikanth mentiioned - " a design doc for the use case and the arch. and configs needed for Atlas to consume OpenID asserted credentials? Perhaps an interaction diagram to explain how this feature will work, the actual flow, and configs needed (for example how the user/group mappings are fetched) " > Support OpenID Connect directly rather than through Knox > > > Key: ATLAS-3153 > URL: https://issues.apache.org/jira/browse/ATLAS-3153 > Project: Atlas > Issue Type: Improvement >Affects Versions: 2.0.0 >Reporter: Bolke de Bruin >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > The current SSO implementation with Apache Knox is limiting SSO > interoperability to Apache Knox. Knox uses JWT verification which could > easily be extended to allow for direct OpenID Connect support and doesn't > require organizations to deploy Knox. > Required changes: > * Pickup bearer token from headers > * Improve and standardize redirecting > * Optionally: obtain certificates from well_known uri > * Optionally: obtain user groups from userinfo endpoint rather than UGI -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox
[ https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16850029#comment-16850029 ] Bolke de Bruin commented on ATLAS-3153: --- [~sarath.ku...@gmail.com] sure, can you explain what you would like to see in the design doc? Both OpenID connect and spring security are well understood. The roles / groups might be something as they can be obtained from keycloak instead of UGI. That’s also pretty straightforward. Can you give me some guidance? > Support OpenID Connect directly rather than through Knox > > > Key: ATLAS-3153 > URL: https://issues.apache.org/jira/browse/ATLAS-3153 > Project: Atlas > Issue Type: Improvement >Affects Versions: 2.0.0 >Reporter: Bolke de Bruin >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > The current SSO implementation with Apache Knox is limiting SSO > interoperability to Apache Knox. Knox uses JWT verification which could > easily be extended to allow for direct OpenID Connect support and doesn't > require organizations to deploy Knox. > Required changes: > * Pickup bearer token from headers > * Improve and standardize redirecting > * Optionally: obtain certificates from well_known uri > * Optionally: obtain user groups from userinfo endpoint rather than UGI -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox
[ https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16850011#comment-16850011 ] Sarath Subramanian commented on ATLAS-3153: --- [~bolke] can you attach the design doc in the JIRA. > Support OpenID Connect directly rather than through Knox > > > Key: ATLAS-3153 > URL: https://issues.apache.org/jira/browse/ATLAS-3153 > Project: Atlas > Issue Type: Improvement >Affects Versions: 2.0.0 >Reporter: Bolke de Bruin >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > The current SSO implementation with Apache Knox is limiting SSO > interoperability to Apache Knox. Knox uses JWT verification which could > easily be extended to allow for direct OpenID Connect support and doesn't > require organizations to deploy Knox. > Required changes: > * Pickup bearer token from headers > * Improve and standardize redirecting > * Optionally: obtain certificates from well_known uri > * Optionally: obtain user groups from userinfo endpoint rather than UGI -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox
[ https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16849642#comment-16849642 ] Saqeeb Shaikh commented on ATLAS-3153: -- Thanks for the patch [~bolke]. I have done basic validations with keycloak server, it looks good. > Support OpenID Connect directly rather than through Knox > > > Key: ATLAS-3153 > URL: https://issues.apache.org/jira/browse/ATLAS-3153 > Project: Atlas > Issue Type: Improvement >Affects Versions: 2.0.0 >Reporter: Bolke de Bruin >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > The current SSO implementation with Apache Knox is limiting SSO > interoperability to Apache Knox. Knox uses JWT verification which could > easily be extended to allow for direct OpenID Connect support and doesn't > require organizations to deploy Knox. > Required changes: > * Pickup bearer token from headers > * Improve and standardize redirecting > * Optionally: obtain certificates from well_known uri > * Optionally: obtain user groups from userinfo endpoint rather than UGI -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox
[ https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16849115#comment-16849115 ] Bolke de Bruin commented on ATLAS-3153: --- Ping? > Support OpenID Connect directly rather than through Knox > > > Key: ATLAS-3153 > URL: https://issues.apache.org/jira/browse/ATLAS-3153 > Project: Atlas > Issue Type: Improvement >Affects Versions: 2.0.0 >Reporter: Bolke de Bruin >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > The current SSO implementation with Apache Knox is limiting SSO > interoperability to Apache Knox. Knox uses JWT verification which could > easily be extended to allow for direct OpenID Connect support and doesn't > require organizations to deploy Knox. > Required changes: > * Pickup bearer token from headers > * Improve and standardize redirecting > * Optionally: obtain certificates from well_known uri > * Optionally: obtain user groups from userinfo endpoint rather than UGI -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox
[ https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16846470#comment-16846470 ] Bolke de Bruin commented on ATLAS-3153: --- [~srikvenk] I have already included documentation in the PR (twiki) that describes this. Do you want me to extend that? We don't use Azure but the keycloak client should work with any oauth provider or (preferred) OpenID Connect (a layer on top of oauth). Azure supports both so with proper configuration in keycloak.json and maybe a mapper defined in Azure's service definition this should 'just' work. AuthN/Z are then both supported. If you disable Hadoop's UGI integration as documented you have roles/groups (exclusive this is a limitation of atlas at the moment not of keycloak/OpenID) > Support OpenID Connect directly rather than through Knox > > > Key: ATLAS-3153 > URL: https://issues.apache.org/jira/browse/ATLAS-3153 > Project: Atlas > Issue Type: Improvement >Affects Versions: 2.0.0 >Reporter: Bolke de Bruin >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > The current SSO implementation with Apache Knox is limiting SSO > interoperability to Apache Knox. Knox uses JWT verification which could > easily be extended to allow for direct OpenID Connect support and doesn't > require organizations to deploy Knox. > Required changes: > * Pickup bearer token from headers > * Improve and standardize redirecting > * Optionally: obtain certificates from well_known uri > * Optionally: obtain user groups from userinfo endpoint rather than UGI -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox
[ https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16846433#comment-16846433 ] Srikanth Venkat commented on ATLAS-3153: [~bolke] This is a good addition. Can you help the community by providing a design doc for the use case and the arch. and configs needed for Atlas to consume OpenID asserted credentials? Perhaps an interaction diagram to explain how this feature will work, the actual flow, and configs needed (for example how the user/group mappings are fetched) will be useful to review the patch and understand the feature. Also quick question will a similar mechanism work for Azure AD via OAuth2 (especially from an authN/authZ perspective) > Support OpenID Connect directly rather than through Knox > > > Key: ATLAS-3153 > URL: https://issues.apache.org/jira/browse/ATLAS-3153 > Project: Atlas > Issue Type: Improvement >Affects Versions: 2.0.0 >Reporter: Bolke de Bruin >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > The current SSO implementation with Apache Knox is limiting SSO > interoperability to Apache Knox. Knox uses JWT verification which could > easily be extended to allow for direct OpenID Connect support and doesn't > require organizations to deploy Knox. > Required changes: > * Pickup bearer token from headers > * Improve and standardize redirecting > * Optionally: obtain certificates from well_known uri > * Optionally: obtain user groups from userinfo endpoint rather than UGI -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox
[ https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16844517#comment-16844517 ] Ashutosh Mestry commented on ATLAS-3153: Thanks for the patch. It is being reviewed. > Support OpenID Connect directly rather than through Knox > > > Key: ATLAS-3153 > URL: https://issues.apache.org/jira/browse/ATLAS-3153 > Project: Atlas > Issue Type: Improvement >Affects Versions: 2.0.0 >Reporter: Bolke de Bruin >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > The current SSO implementation with Apache Knox is limiting SSO > interoperability to Apache Knox. Knox uses JWT verification which could > easily be extended to allow for direct OpenID Connect support and doesn't > require organizations to deploy Knox. > Required changes: > * Pickup bearer token from headers > * Improve and standardize redirecting > * Optionally: obtain certificates from well_known uri > * Optionally: obtain user groups from userinfo endpoint rather than UGI -- This message was sent by Atlassian JIRA (v7.6.3#76005)