[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox

2019-07-08 Thread Nixon Rodrigues (JIRA) 


[ 
https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16880585#comment-16880585
 ] 

Nixon Rodrigues commented on ATLAS-3153:


[~bolke], i have documented the mvn command to run test and error trace in 
following jira

https://issues.apache.org/jira/browse/ATLAS-3317

> Support OpenID Connect directly rather than through Knox
> 
>
> Key: ATLAS-3153
> URL: https://issues.apache.org/jira/browse/ATLAS-3153
> Project: Atlas
>  Issue Type: Improvement
>  Components:  atlas-core, atlas-webui
>Affects Versions: 2.0.0
>Reporter: Bolke de Bruin
>Priority: Major
>  Labels: authentication, authorization
> Fix For: 3.0.0
>
> Attachments: 0001-ATLAS-3153-Add-keycloak-authentication.patch, 
> 0001-ATLAS-3153-Testcase-fix-due-to-Keycloak-authenticati.patch, 
> application.log, keycloak.json, openid_connect_atlas.md
>
>  Time Spent: 40m
>  Remaining Estimate: 0h
>
> The current SSO implementation with Apache Knox is limiting SSO 
> interoperability to Apache Knox. Knox uses JWT verification which could 
> easily be extended to allow for direct OpenID Connect support and doesn't 
> require organizations to deploy Knox.
> Required changes:
>  * Pickup bearer token from headers
>  * Improve and standardize redirecting
>  * Optionally: obtain certificates from well_known uri
>  * Optionally: obtain user groups from userinfo endpoint rather than UGI



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox

2019-07-08 Thread Bolke de Bruin (JIRA) 


[ 
https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16880583#comment-16880583
 ] 

Bolke de Bruin commented on ATLAS-3153:
---

[~nixonrodrigues]can you share a bit more what is failing exactly? I assume IT 
is integration test? Can I reproduce the test somehow?

> Support OpenID Connect directly rather than through Knox
> 
>
> Key: ATLAS-3153
> URL: https://issues.apache.org/jira/browse/ATLAS-3153
> Project: Atlas
>  Issue Type: Improvement
>  Components:  atlas-core, atlas-webui
>Affects Versions: 2.0.0
>Reporter: Bolke de Bruin
>Priority: Major
>  Labels: authentication, authorization
> Fix For: 3.0.0
>
> Attachments: 0001-ATLAS-3153-Add-keycloak-authentication.patch, 
> 0001-ATLAS-3153-Testcase-fix-due-to-Keycloak-authenticati.patch, 
> application.log, keycloak.json, openid_connect_atlas.md
>
>  Time Spent: 40m
>  Remaining Estimate: 0h
>
> The current SSO implementation with Apache Knox is limiting SSO 
> interoperability to Apache Knox. Knox uses JWT verification which could 
> easily be extended to allow for direct OpenID Connect support and doesn't 
> require organizations to deploy Knox.
> Required changes:
>  * Pickup bearer token from headers
>  * Improve and standardize redirecting
>  * Optionally: obtain certificates from well_known uri
>  * Optionally: obtain user groups from userinfo endpoint rather than UGI



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox

2019-07-08 Thread Nixon Rodrigues (JIRA) 


[ 
https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16880578#comment-16880578
 ] 

Nixon Rodrigues commented on ATLAS-3153:


[~bolke], IT's are failing owing to commit of this patch. can please you look 
into this ?

{noformat}
[INFO] --- jetty-maven-plugin:9.3.14.v20161028:deploy-war (start-jetty) @ 
atlas-webapp ---
[INFO] Logging initialized @220653ms
[INFO] Configuring Jetty for project: Apache Atlas Web Application
[INFO] Context path = /
[INFO] Tmp directory = 
/home/jenkins/jenkins-slave/workspace/PreCommit-ATLAS-Build-Test@2/webapp/target/tmp
[INFO] Web defaults = org/eclipse/jetty/webapp/webdefault.xml
[INFO] Web overrides =  none
[INFO] jetty-9.3.14.v20161028
[INFO] Scanning elapsed time=67258ms
[WARNING] Failed startup of context o.e.j.m.p.JettyWebAppContext@2eb2d10c{/,
[file:///home/jenkins/jenkins-slave/workspace/PreCommit-ATLAS-Build-Test@2/webapp/target/atlas-webapp-3.0.0-SNAPSHOT/,UNAVAILABLE}\{/home/jenkins/jenkins-slave/workspace/PreCommit-ATLAS-Build-Test@2/webapp/target/atlas-webapp-3.0.0-SNAPSHOT.war}|file:///home/jenkins/jenkins-slave/workspace/PreCommit-ATLAS-Build-Test@2/webapp/target/atlas-webapp-3.0.0-SNAPSHOT/,UNAVAILABLE%7D%7B/home/jenkins/jenkins-slave/workspace/PreCommit-ATLAS-Build-Test@2/webapp/target/atlas-webapp-3.0.0-SNAPSHOT.war%7D]
java.lang.Exception: Timeout scanning annotations
    at org.eclipse.jetty.annotations.AnnotationConfiguration.scanForAnnotations 
(AnnotationConfiguration.java:578)
    at org.eclipse.jetty.annotations.AnnotationConfiguration.configure 
(AnnotationConfiguration.java:447)
    at org.eclipse.jetty.webapp.WebAppContext.configure (WebAppContext.java:494)
    at org.eclipse.jetty.webapp.WebAppContext.startContext 
(WebAppContext.java:1361)
    at org.eclipse.jetty.server.handler.ContextHandler.doStart 
(ContextHandler.java:778)
    at org.eclipse.jetty.servlet.ServletContextHandler.doStart 
(ServletContextHandler.java:262)
    at org.eclipse.jetty.webapp.WebAppContext.doStart (WebAppContext.java:520)
    at org.eclipse.jetty.maven.plugin.JettyWebAppContext.doStart 
(JettyWebAppContext.java:398)
    at org.eclipse.jetty.util.component.AbstractLifeCycle.start 
(AbstractLifeCycle.java:68)
    at org.eclipse.jetty.util.component.ContainerLifeCycle.start 
(ContainerLifeCycle.java:131)
    at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart 
(ContainerLifeCycle.java:113)
    at org.eclipse.jetty.server.handler.AbstractHandler.doStart 
(AbstractHandler.java:61)
    at org.eclipse.jetty.server.handler.ContextHandlerCollection.doStart 
(ContextHandlerCollection.java:161)
    at org.eclipse.jetty.util.component.AbstractLifeCycle.start 
(AbstractLifeCycle.java:68)
    at org.eclipse.jetty.util.component.ContainerLifeCycle.start 
(ContainerLifeCycle.java:131)
    at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart 
(ContainerLifeCycle.java:113)
    at org.eclipse.jetty.server.handler.AbstractHandler.doStart 
(AbstractHandler.java:61)
    at org.eclipse.jetty.util.component.AbstractLifeCycle.start 
(AbstractLifeCycle.java:68)
    at org.eclipse.jetty.util.component.ContainerLifeCycle.start 
(ContainerLifeCycle.java:131)
    at org.eclipse.jetty.server.Server.start (Server.java:422)
    at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart 
(ContainerLifeCycle.java:105)
    at org.eclipse.jetty.server.handler.AbstractHandler.doStart 
(AbstractHandler.java:61)
    at org.eclipse.jetty.server.Server.doStart (Server.java:389)
    at org.eclipse.jetty.util.component.AbstractLifeCycle.start 
(AbstractLifeCycle.java:68)
    at org.eclipse.jetty.maven.plugin.AbstractJettyMojo.startJetty 
(AbstractJettyMojo.java:460)
    at org.eclipse.jetty.maven.plugin.AbstractJettyMojo.execute 
(AbstractJettyMojo.java:328)
    at org.eclipse.jetty.maven.plugin.JettyRunWarMojo.execute 
(JettyRunWarMojo.java:64)
    at org.eclipse.jetty.maven.plugin.JettyDeployWar.execute 
(JettyDeployWar.java:65)
    at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo 
(DefaultBuildPluginManager.java:137)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute 
(MojoExecutor.java:210)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute 
(MojoExecutor.java:156)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute 
(MojoExecutor.java:148)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject 
(LifecycleModuleBuilder.java:117)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject 
(LifecycleModuleBuilder.java:81)
    at 
org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build
 (SingleThreadedBuilder.java:56)
    at org.apache.maven.lifecycle.internal.LifecycleStarter.execute 
(LifecycleStarter.java:128)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
    at org.apache.maven.DefaultMaven.doExecute

[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox

2019-07-05 Thread ASF subversion and git services (JIRA) 


[ 
https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16879541#comment-16879541
 ] 

ASF subversion and git services commented on ATLAS-3153:


Commit fd2544978658fbb8c1ee1164b286727af28770e5 in atlas's branch 
refs/heads/branch-2.0 from Bolke de Bruin
[ https://gitbox.apache.org/repos/asf?p=atlas.git;h=fd25449 ]

ATLAS-3153 :- Add Keycloak authentication method to Atlas.

Keycloak is an open source Identity and Access Management solution aimed at 
modern applications and services. It makes it easy to secure applications and 
services with little to no code.
This enabled Atlas to use OpenID Connect (OAUTH2) and allows integration with 
more services.

Signed-off-by: nixonrodrigues 
(cherry picked from commit 645bc94e59969d08b81e7af7a5a2db78207ab3fe)


> Support OpenID Connect directly rather than through Knox
> 
>
> Key: ATLAS-3153
> URL: https://issues.apache.org/jira/browse/ATLAS-3153
> Project: Atlas
>  Issue Type: Improvement
>  Components:  atlas-core, atlas-webui
>Affects Versions: 2.0.0
>Reporter: Bolke de Bruin
>Priority: Major
>  Labels: authentication, authorization
> Fix For: 3.0.0
>
> Attachments: 0001-ATLAS-3153-Add-keycloak-authentication.patch, 
> 0001-ATLAS-3153-Testcase-fix-due-to-Keycloak-authenticati.patch, 
> application.log, keycloak.json, openid_connect_atlas.md
>
>  Time Spent: 40m
>  Remaining Estimate: 0h
>
> The current SSO implementation with Apache Knox is limiting SSO 
> interoperability to Apache Knox. Knox uses JWT verification which could 
> easily be extended to allow for direct OpenID Connect support and doesn't 
> require organizations to deploy Knox.
> Required changes:
>  * Pickup bearer token from headers
>  * Improve and standardize redirecting
>  * Optionally: obtain certificates from well_known uri
>  * Optionally: obtain user groups from userinfo endpoint rather than UGI



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox

2019-07-05 Thread ASF subversion and git services (JIRA) 


[ 
https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16879542#comment-16879542
 ] 

ASF subversion and git services commented on ATLAS-3153:


Commit 88ea258638d5dcb5911c6da406d3b136dab27ebc in atlas's branch 
refs/heads/branch-2.0 from Nixon Rodrigues
[ https://gitbox.apache.org/repos/asf?p=atlas.git;h=88ea258 ]

ATLAS-3153 : Testcase fix due to Keycloak authentication method commit.

(cherry picked from commit e7071476aaba064d0967531cda6d9221f918db4e)


> Support OpenID Connect directly rather than through Knox
> 
>
> Key: ATLAS-3153
> URL: https://issues.apache.org/jira/browse/ATLAS-3153
> Project: Atlas
>  Issue Type: Improvement
>  Components:  atlas-core, atlas-webui
>Affects Versions: 2.0.0
>Reporter: Bolke de Bruin
>Priority: Major
>  Labels: authentication, authorization
> Fix For: 3.0.0
>
> Attachments: 0001-ATLAS-3153-Add-keycloak-authentication.patch, 
> 0001-ATLAS-3153-Testcase-fix-due-to-Keycloak-authenticati.patch, 
> application.log, keycloak.json, openid_connect_atlas.md
>
>  Time Spent: 40m
>  Remaining Estimate: 0h
>
> The current SSO implementation with Apache Knox is limiting SSO 
> interoperability to Apache Knox. Knox uses JWT verification which could 
> easily be extended to allow for direct OpenID Connect support and doesn't 
> require organizations to deploy Knox.
> Required changes:
>  * Pickup bearer token from headers
>  * Improve and standardize redirecting
>  * Optionally: obtain certificates from well_known uri
>  * Optionally: obtain user groups from userinfo endpoint rather than UGI



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox

2019-07-05 Thread ASF subversion and git services (JIRA) 


[ 
https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16879110#comment-16879110
 ] 

ASF subversion and git services commented on ATLAS-3153:


Commit e7071476aaba064d0967531cda6d9221f918db4e in atlas's branch 
refs/heads/master from Nixon Rodrigues
[ https://gitbox.apache.org/repos/asf?p=atlas.git;h=e707147 ]

ATLAS-3153 : Testcase fix due to Keycloak authentication method commit.


> Support OpenID Connect directly rather than through Knox
> 
>
> Key: ATLAS-3153
> URL: https://issues.apache.org/jira/browse/ATLAS-3153
> Project: Atlas
>  Issue Type: Improvement
>  Components:  atlas-core, atlas-webui
>Affects Versions: 2.0.0
>Reporter: Bolke de Bruin
>Priority: Major
>  Labels: authentication, authorization
> Fix For: 3.0.0
>
> Attachments: 0001-ATLAS-3153-Add-keycloak-authentication.patch, 
> 0001-ATLAS-3153-Testcase-fix-due-to-Keycloak-authenticati.patch, 
> application.log, keycloak.json, openid_connect_atlas.md
>
>  Time Spent: 40m
>  Remaining Estimate: 0h
>
> The current SSO implementation with Apache Knox is limiting SSO 
> interoperability to Apache Knox. Knox uses JWT verification which could 
> easily be extended to allow for direct OpenID Connect support and doesn't 
> require organizations to deploy Knox.
> Required changes:
>  * Pickup bearer token from headers
>  * Improve and standardize redirecting
>  * Optionally: obtain certificates from well_known uri
>  * Optionally: obtain user groups from userinfo endpoint rather than UGI



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox

2019-07-04 Thread ASF subversion and git services (JIRA) 


[ 
https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16878682#comment-16878682
 ] 

ASF subversion and git services commented on ATLAS-3153:


Commit 645bc94e59969d08b81e7af7a5a2db78207ab3fe in atlas's branch 
refs/heads/master from Bolke de Bruin
[ https://gitbox.apache.org/repos/asf?p=atlas.git;h=645bc94 ]

ATLAS-3153 :- Add Keycloak authentication method to Atlas.

Keycloak is an open source Identity and Access Management solution aimed at 
modern applications and services. It makes it easy to secure applications and 
services with little to no code.
This enabled Atlas to use OpenID Connect (OAUTH2) and allows integration with 
more services.

Signed-off-by: nixonrodrigues 


> Support OpenID Connect directly rather than through Knox
> 
>
> Key: ATLAS-3153
> URL: https://issues.apache.org/jira/browse/ATLAS-3153
> Project: Atlas
>  Issue Type: Improvement
>  Components:  atlas-core, atlas-webui
>Affects Versions: 2.0.0
>Reporter: Bolke de Bruin
>Priority: Major
>  Labels: authentication, authorization
> Attachments: 0001-ATLAS-3153-Add-keycloak-authentication.patch, 
> application.log, keycloak.json, openid_connect_atlas.md
>
>  Time Spent: 20m
>  Remaining Estimate: 0h
>
> The current SSO implementation with Apache Knox is limiting SSO 
> interoperability to Apache Knox. Knox uses JWT verification which could 
> easily be extended to allow for direct OpenID Connect support and doesn't 
> require organizations to deploy Knox.
> Required changes:
>  * Pickup bearer token from headers
>  * Improve and standardize redirecting
>  * Optionally: obtain certificates from well_known uri
>  * Optionally: obtain user groups from userinfo endpoint rather than UGI



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox

2019-07-04 Thread Nixon Rodrigues (JIRA) 


[ 
https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16878540#comment-16878540
 ] 

Nixon Rodrigues commented on ATLAS-3153:


[~bolke], I am doing the final validation. The patch looks good, will merge it 
by EOD. 

> Support OpenID Connect directly rather than through Knox
> 
>
> Key: ATLAS-3153
> URL: https://issues.apache.org/jira/browse/ATLAS-3153
> Project: Atlas
>  Issue Type: Improvement
>  Components:  atlas-core, atlas-webui
>Affects Versions: 2.0.0
>Reporter: Bolke de Bruin
>Priority: Major
>  Labels: authentication, authorization
> Attachments: 0001-ATLAS-3153-Add-keycloak-authentication.patch, 
> application.log, keycloak.json, openid_connect_atlas.md
>
>  Time Spent: 20m
>  Remaining Estimate: 0h
>
> The current SSO implementation with Apache Knox is limiting SSO 
> interoperability to Apache Knox. Knox uses JWT verification which could 
> easily be extended to allow for direct OpenID Connect support and doesn't 
> require organizations to deploy Knox.
> Required changes:
>  * Pickup bearer token from headers
>  * Improve and standardize redirecting
>  * Optionally: obtain certificates from well_known uri
>  * Optionally: obtain user groups from userinfo endpoint rather than UGI



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox

2019-07-04 Thread Bolke de Bruin (JIRA) 


[ 
https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16878538#comment-16878538
 ] 

Bolke de Bruin commented on ATLAS-3153:
---

[~saqeeb.shaikh136] can we have this merged please?

> Support OpenID Connect directly rather than through Knox
> 
>
> Key: ATLAS-3153
> URL: https://issues.apache.org/jira/browse/ATLAS-3153
> Project: Atlas
>  Issue Type: Improvement
>  Components:  atlas-core, atlas-webui
>Affects Versions: 2.0.0
>Reporter: Bolke de Bruin
>Priority: Major
>  Labels: authentication, authorization
> Attachments: 0001-ATLAS-3153-Add-keycloak-authentication.patch, 
> application.log, keycloak.json, openid_connect_atlas.md
>
>  Time Spent: 20m
>  Remaining Estimate: 0h
>
> The current SSO implementation with Apache Knox is limiting SSO 
> interoperability to Apache Knox. Knox uses JWT verification which could 
> easily be extended to allow for direct OpenID Connect support and doesn't 
> require organizations to deploy Knox.
> Required changes:
>  * Pickup bearer token from headers
>  * Improve and standardize redirecting
>  * Optionally: obtain certificates from well_known uri
>  * Optionally: obtain user groups from userinfo endpoint rather than UGI



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox

2019-06-29 Thread Bolke de Bruin (JIRA) 


[ 
https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16875578#comment-16875578
 ] 

Bolke de Bruin commented on ATLAS-3153:
---

ping [~saqeeb.shaikh136] . I have created the first version for bridges, 
quickstart and exampkes, but it is dependent on this one. Also note that Knox 
does not have support in Atlas client side.

> Support OpenID Connect directly rather than through Knox
> 
>
> Key: ATLAS-3153
> URL: https://issues.apache.org/jira/browse/ATLAS-3153
> Project: Atlas
>  Issue Type: Improvement
>  Components:  atlas-core, atlas-webui
>Affects Versions: 2.0.0
>Reporter: Bolke de Bruin
>Priority: Major
>  Labels: authentication, authorization
> Attachments: 0001-ATLAS-3153-Add-keycloak-authentication.patch, 
> application.log, keycloak.json, openid_connect_atlas.md
>
>  Time Spent: 20m
>  Remaining Estimate: 0h
>
> The current SSO implementation with Apache Knox is limiting SSO 
> interoperability to Apache Knox. Knox uses JWT verification which could 
> easily be extended to allow for direct OpenID Connect support and doesn't 
> require organizations to deploy Knox.
> Required changes:
>  * Pickup bearer token from headers
>  * Improve and standardize redirecting
>  * Optionally: obtain certificates from well_known uri
>  * Optionally: obtain user groups from userinfo endpoint rather than UGI



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox

2019-06-26 Thread Bolke de Bruin (JIRA) 


[ 
https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16873590#comment-16873590
 ] 

Bolke de Bruin commented on ATLAS-3153:
---

[~saqeeb.shaikh136] I have created ATLAS-3309 to track this. Can this now be 
merged?

> Support OpenID Connect directly rather than through Knox
> 
>
> Key: ATLAS-3153
> URL: https://issues.apache.org/jira/browse/ATLAS-3153
> Project: Atlas
>  Issue Type: Improvement
>  Components:  atlas-core, atlas-webui
>Affects Versions: 2.0.0
>Reporter: Bolke de Bruin
>Priority: Major
>  Labels: authentication, authorization
> Attachments: 0001-ATLAS-3153-Add-keycloak-authentication.patch, 
> application.log, keycloak.json, openid_connect_atlas.md
>
>  Time Spent: 20m
>  Remaining Estimate: 0h
>
> The current SSO implementation with Apache Knox is limiting SSO 
> interoperability to Apache Knox. Knox uses JWT verification which could 
> easily be extended to allow for direct OpenID Connect support and doesn't 
> require organizations to deploy Knox.
> Required changes:
>  * Pickup bearer token from headers
>  * Improve and standardize redirecting
>  * Optionally: obtain certificates from well_known uri
>  * Optionally: obtain user groups from userinfo endpoint rather than UGI



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox

2019-06-26 Thread Saqeeb Shaikh (JIRA) 


[ 
https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16872968#comment-16872968
 ] 

Saqeeb Shaikh commented on ATLAS-3153:
--

[~bolke] tracking import hive and quick start under a separate Jira sounds good 
to me. We can get started on that.

> Support OpenID Connect directly rather than through Knox
> 
>
> Key: ATLAS-3153
> URL: https://issues.apache.org/jira/browse/ATLAS-3153
> Project: Atlas
>  Issue Type: Improvement
>  Components:  atlas-core, atlas-webui
>Affects Versions: 2.0.0
>Reporter: Bolke de Bruin
>Priority: Major
>  Labels: authentication, authorization
> Attachments: 0001-ATLAS-3153-Add-keycloak-authentication.patch, 
> application.log, keycloak.json, openid_connect_atlas.md
>
>  Time Spent: 20m
>  Remaining Estimate: 0h
>
> The current SSO implementation with Apache Knox is limiting SSO 
> interoperability to Apache Knox. Knox uses JWT verification which could 
> easily be extended to allow for direct OpenID Connect support and doesn't 
> require organizations to deploy Knox.
> Required changes:
>  * Pickup bearer token from headers
>  * Improve and standardize redirecting
>  * Optionally: obtain certificates from well_known uri
>  * Optionally: obtain user groups from userinfo endpoint rather than UGI



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox

2019-06-25 Thread Bolke de Bruin (JIRA) 


[ 
https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16872629#comment-16872629
 ] 

Bolke de Bruin commented on ATLAS-3153:
---

[~saqeeb.shaikh136] both would need changes. Can I suggest doing that outside 
of this PR? I’m happy to do so, but it seem not the ‘same unit’ of work.

> Support OpenID Connect directly rather than through Knox
> 
>
> Key: ATLAS-3153
> URL: https://issues.apache.org/jira/browse/ATLAS-3153
> Project: Atlas
>  Issue Type: Improvement
>  Components:  atlas-core, atlas-webui
>Affects Versions: 2.0.0
>Reporter: Bolke de Bruin
>Priority: Major
>  Labels: authentication, authorization
> Attachments: 0001-ATLAS-3153-Add-keycloak-authentication.patch, 
> application.log, keycloak.json, openid_connect_atlas.md
>
>  Time Spent: 20m
>  Remaining Estimate: 0h
>
> The current SSO implementation with Apache Knox is limiting SSO 
> interoperability to Apache Knox. Knox uses JWT verification which could 
> easily be extended to allow for direct OpenID Connect support and doesn't 
> require organizations to deploy Knox.
> Required changes:
>  * Pickup bearer token from headers
>  * Improve and standardize redirecting
>  * Optionally: obtain certificates from well_known uri
>  * Optionally: obtain user groups from userinfo endpoint rather than UGI



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox

2019-06-24 Thread Saqeeb Shaikh (JIRA) 


[ 
https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16871223#comment-16871223
 ] 

Saqeeb Shaikh commented on ATLAS-3153:
--

[~bolke] I was able to successfully login into Atlas through Keycloak on 
kerberized cluster after disabling the kerberos config from Keycloak. Can you 
please check quick start and import hive scripts with keycloak authentication.

> Support OpenID Connect directly rather than through Knox
> 
>
> Key: ATLAS-3153
> URL: https://issues.apache.org/jira/browse/ATLAS-3153
> Project: Atlas
>  Issue Type: Improvement
>  Components:  atlas-core, atlas-webui
>Affects Versions: 2.0.0
>Reporter: Bolke de Bruin
>Priority: Major
>  Labels: authentication, authorization
> Attachments: 0001-ATLAS-3153-Add-keycloak-authentication.patch, 
> application.log, keycloak.json, openid_connect_atlas.md
>
>  Time Spent: 20m
>  Remaining Estimate: 0h
>
> The current SSO implementation with Apache Knox is limiting SSO 
> interoperability to Apache Knox. Knox uses JWT verification which could 
> easily be extended to allow for direct OpenID Connect support and doesn't 
> require organizations to deploy Knox.
> Required changes:
>  * Pickup bearer token from headers
>  * Improve and standardize redirecting
>  * Optionally: obtain certificates from well_known uri
>  * Optionally: obtain user groups from userinfo endpoint rather than UGI



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox

2019-06-23 Thread Bolke de Bruin (JIRA) 


[ 
https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16870629#comment-16870629
 ] 

Bolke de Bruin commented on ATLAS-3153:
---

After our discussion I verified:
 * MIT kdc, with Kerberized Atlas
 * HDP 3.1, FreeIPA, with Kerberized Atlas

both are working fine (ie. client is redirected).

> Support OpenID Connect directly rather than through Knox
> 
>
> Key: ATLAS-3153
> URL: https://issues.apache.org/jira/browse/ATLAS-3153
> Project: Atlas
>  Issue Type: Improvement
>  Components:  atlas-core, atlas-webui
>Affects Versions: 2.0.0
>Reporter: Bolke de Bruin
>Priority: Major
>  Labels: authentication, authorization
> Attachments: 0001-ATLAS-3153-Add-keycloak-authentication.patch, 
> application.log, keycloak.json, openid_connect_atlas.md
>
>  Time Spent: 20m
>  Remaining Estimate: 0h
>
> The current SSO implementation with Apache Knox is limiting SSO 
> interoperability to Apache Knox. Knox uses JWT verification which could 
> easily be extended to allow for direct OpenID Connect support and doesn't 
> require organizations to deploy Knox.
> Required changes:
>  * Pickup bearer token from headers
>  * Improve and standardize redirecting
>  * Optionally: obtain certificates from well_known uri
>  * Optionally: obtain user groups from userinfo endpoint rather than UGI



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox

2019-06-18 Thread Bolke de Bruin (JIRA) 


[ 
https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16866719#comment-16866719
 ] 

Bolke de Bruin commented on ATLAS-3153:
---

Sure will do. We should have some overlap :)

> Support OpenID Connect directly rather than through Knox
> 
>
> Key: ATLAS-3153
> URL: https://issues.apache.org/jira/browse/ATLAS-3153
> Project: Atlas
>  Issue Type: Improvement
>  Components:  atlas-core, atlas-webui
>Affects Versions: 2.0.0
>Reporter: Bolke de Bruin
>Priority: Major
>  Labels: authentication, authorization
> Attachments: 0001-ATLAS-3153-Add-keycloak-authentication.patch, 
> application.log, keycloak.json, openid_connect_atlas.md
>
>  Time Spent: 20m
>  Remaining Estimate: 0h
>
> The current SSO implementation with Apache Knox is limiting SSO 
> interoperability to Apache Knox. Knox uses JWT verification which could 
> easily be extended to allow for direct OpenID Connect support and doesn't 
> require organizations to deploy Knox.
> Required changes:
>  * Pickup bearer token from headers
>  * Improve and standardize redirecting
>  * Optionally: obtain certificates from well_known uri
>  * Optionally: obtain user groups from userinfo endpoint rather than UGI



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox

2019-06-18 Thread Saqeeb Shaikh (JIRA) 


[ 
https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16866366#comment-16866366
 ] 

Saqeeb Shaikh commented on ATLAS-3153:
--

[~bolke],

Can we have webx session to understand the issue and I can show the configs and 
logs on my setup.

Please send me invite saqeeb.shaikh136  at gmail.com, I work in IST timezone 
and can be available from 9:00 IST to 21:30 IST. 

> Support OpenID Connect directly rather than through Knox
> 
>
> Key: ATLAS-3153
> URL: https://issues.apache.org/jira/browse/ATLAS-3153
> Project: Atlas
>  Issue Type: Improvement
>  Components:  atlas-core, atlas-webui
>Affects Versions: 2.0.0
>Reporter: Bolke de Bruin
>Priority: Major
>  Labels: authentication, authorization
> Attachments: 0001-ATLAS-3153-Add-keycloak-authentication.patch, 
> application.log, keycloak.json, openid_connect_atlas.md
>
>  Time Spent: 20m
>  Remaining Estimate: 0h
>
> The current SSO implementation with Apache Knox is limiting SSO 
> interoperability to Apache Knox. Knox uses JWT verification which could 
> easily be extended to allow for direct OpenID Connect support and doesn't 
> require organizations to deploy Knox.
> Required changes:
>  * Pickup bearer token from headers
>  * Improve and standardize redirecting
>  * Optionally: obtain certificates from well_known uri
>  * Optionally: obtain user groups from userinfo endpoint rather than UGI



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox

2019-06-15 Thread Bolke de Bruin (JIRA) 


[ 
https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16864630#comment-16864630
 ] 

Bolke de Bruin commented on ATLAS-3153:
---

Ping [~saqeeb.shaikh136] ? I really need some more info in order to reproduce

> Support OpenID Connect directly rather than through Knox
> 
>
> Key: ATLAS-3153
> URL: https://issues.apache.org/jira/browse/ATLAS-3153
> Project: Atlas
>  Issue Type: Improvement
>  Components:  atlas-core, atlas-webui
>Affects Versions: 2.0.0
>Reporter: Bolke de Bruin
>Priority: Major
>  Labels: authentication, authorization
> Attachments: 0001-ATLAS-3153-Add-keycloak-authentication.patch, 
> application.log, keycloak.json, openid_connect_atlas.md
>
>  Time Spent: 20m
>  Remaining Estimate: 0h
>
> The current SSO implementation with Apache Knox is limiting SSO 
> interoperability to Apache Knox. Knox uses JWT verification which could 
> easily be extended to allow for direct OpenID Connect support and doesn't 
> require organizations to deploy Knox.
> Required changes:
>  * Pickup bearer token from headers
>  * Improve and standardize redirecting
>  * Optionally: obtain certificates from well_known uri
>  * Optionally: obtain user groups from userinfo endpoint rather than UGI



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox

2019-06-08 Thread Bolke de Bruin (JIRA) 


[ 
https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16859322#comment-16859322
 ] 

Bolke de Bruin commented on ATLAS-3153:
---

[~saqeeb.shaikh136] can you share a bit more on the flow you did and your 
configuration? Im having difficulty replicating the behavior I think you are 
describing.I have tested this with a manually configured KDC.

I do see that while a Kerberos credential can be available a redirect still 
happens due to the fact the Keycloak's filters are earlier in the chain. This 
is equal to Knox integration (I have never used Knox, but its filter as also 
earlier in the chain) it seems. In short I can turn on Kerberos and Keycloak 
and Atlas will always use Keycloak.

> Support OpenID Connect directly rather than through Knox
> 
>
> Key: ATLAS-3153
> URL: https://issues.apache.org/jira/browse/ATLAS-3153
> Project: Atlas
>  Issue Type: Improvement
>  Components:  atlas-core, atlas-webui
>Affects Versions: 2.0.0
>Reporter: Bolke de Bruin
>Priority: Major
>  Labels: authentication, authorization
> Attachments: 0001-ATLAS-3153-Add-keycloak-authentication.patch, 
> application.log, keycloak.json, openid_connect_atlas.md
>
>  Time Spent: 20m
>  Remaining Estimate: 0h
>
> The current SSO implementation with Apache Knox is limiting SSO 
> interoperability to Apache Knox. Knox uses JWT verification which could 
> easily be extended to allow for direct OpenID Connect support and doesn't 
> require organizations to deploy Knox.
> Required changes:
>  * Pickup bearer token from headers
>  * Improve and standardize redirecting
>  * Optionally: obtain certificates from well_known uri
>  * Optionally: obtain user groups from userinfo endpoint rather than UGI



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox

2019-06-04 Thread Bolke de Bruin (JIRA) 


[ 
https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16855708#comment-16855708
 ] 

Bolke de Bruin commented on ATLAS-3153:
---

[~saqeeb.shaikh136] Let me verify.

> Support OpenID Connect directly rather than through Knox
> 
>
> Key: ATLAS-3153
> URL: https://issues.apache.org/jira/browse/ATLAS-3153
> Project: Atlas
>  Issue Type: Improvement
>  Components:  atlas-core, atlas-webui
>Affects Versions: 2.0.0
>Reporter: Bolke de Bruin
>Priority: Major
>  Labels: authentication, authorization
> Attachments: 0001-ATLAS-3153-Add-keycloak-authentication.patch, 
> application.log, keycloak.json, openid_connect_atlas.md
>
>  Time Spent: 20m
>  Remaining Estimate: 0h
>
> The current SSO implementation with Apache Knox is limiting SSO 
> interoperability to Apache Knox. Knox uses JWT verification which could 
> easily be extended to allow for direct OpenID Connect support and doesn't 
> require organizations to deploy Knox.
> Required changes:
>  * Pickup bearer token from headers
>  * Improve and standardize redirecting
>  * Optionally: obtain certificates from well_known uri
>  * Optionally: obtain user groups from userinfo endpoint rather than UGI



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox

2019-06-04 Thread Saqeeb Shaikh (JIRA) 


[ 
https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16855675#comment-16855675
 ] 

Saqeeb Shaikh commented on ATLAS-3153:
--

[~bolke],

I tested the patch on HDP cluster with kerberos ON, encountered issues while 
forwarding the request to keycloak challenge page. The same setup on local 
(without kerberos ON) works well. Attached logs and keycloak.json. Can you 
please verify this setup on your end with kerberos ON.

PFA [^keycloak.json]  [^application.log]

^cc:[~madhan.neethiraj]^

 

> Support OpenID Connect directly rather than through Knox
> 
>
> Key: ATLAS-3153
> URL: https://issues.apache.org/jira/browse/ATLAS-3153
> Project: Atlas
>  Issue Type: Improvement
>  Components:  atlas-core, atlas-webui
>Affects Versions: 2.0.0
>Reporter: Bolke de Bruin
>Priority: Major
>  Labels: authentication, authorization
> Attachments: 0001-ATLAS-3153-Add-keycloak-authentication.patch, 
> application.log, keycloak.json, openid_connect_atlas.md
>
>  Time Spent: 20m
>  Remaining Estimate: 0h
>
> The current SSO implementation with Apache Knox is limiting SSO 
> interoperability to Apache Knox. Knox uses JWT verification which could 
> easily be extended to allow for direct OpenID Connect support and doesn't 
> require organizations to deploy Knox.
> Required changes:
>  * Pickup bearer token from headers
>  * Improve and standardize redirecting
>  * Optionally: obtain certificates from well_known uri
>  * Optionally: obtain user groups from userinfo endpoint rather than UGI



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox

2019-05-31 Thread Bolke de Bruin (JIRA) 


[ 
https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16852947#comment-16852947
 ] 

Bolke de Bruin commented on ATLAS-3153:
---

Ping?  Can this be mergel now?

> Support OpenID Connect directly rather than through Knox
> 
>
> Key: ATLAS-3153
> URL: https://issues.apache.org/jira/browse/ATLAS-3153
> Project: Atlas
>  Issue Type: Improvement
>  Components:  atlas-core, atlas-webui
>Affects Versions: 2.0.0
>Reporter: Bolke de Bruin
>Priority: Major
>  Labels: authentication, authorization
> Attachments: 0001-ATLAS-3153-Add-keycloak-authentication.patch, 
> openid_connect_atlas.md
>
>  Time Spent: 20m
>  Remaining Estimate: 0h
>
> The current SSO implementation with Apache Knox is limiting SSO 
> interoperability to Apache Knox. Knox uses JWT verification which could 
> easily be extended to allow for direct OpenID Connect support and doesn't 
> require organizations to deploy Knox.
> Required changes:
>  * Pickup bearer token from headers
>  * Improve and standardize redirecting
>  * Optionally: obtain certificates from well_known uri
>  * Optionally: obtain user groups from userinfo endpoint rather than UGI



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox

2019-05-28 Thread Bolke de Bruin (JIRA) 


[ 
https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16850144#comment-16850144
 ] 

Bolke de Bruin commented on ATLAS-3153:
---

[~sarath.ku...@gmail.com] I have added the file. Mostly copied from the PR with 
some additions.

> Support OpenID Connect directly rather than through Knox
> 
>
> Key: ATLAS-3153
> URL: https://issues.apache.org/jira/browse/ATLAS-3153
> Project: Atlas
>  Issue Type: Improvement
>Affects Versions: 2.0.0
>Reporter: Bolke de Bruin
>Priority: Major
> Attachments: openid_connect_atlas.md
>
>  Time Spent: 20m
>  Remaining Estimate: 0h
>
> The current SSO implementation with Apache Knox is limiting SSO 
> interoperability to Apache Knox. Knox uses JWT verification which could 
> easily be extended to allow for direct OpenID Connect support and doesn't 
> require organizations to deploy Knox.
> Required changes:
>  * Pickup bearer token from headers
>  * Improve and standardize redirecting
>  * Optionally: obtain certificates from well_known uri
>  * Optionally: obtain user groups from userinfo endpoint rather than UGI



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox

2019-05-28 Thread Bolke de Bruin (JIRA) 


[ 
https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16850080#comment-16850080
 ] 

Bolke de Bruin commented on ATLAS-3153:
---

[~sarath.ku...@gmail.com] as mentioned this is already part of the PR? Isn’t 
the twiki used for this?

> Support OpenID Connect directly rather than through Knox
> 
>
> Key: ATLAS-3153
> URL: https://issues.apache.org/jira/browse/ATLAS-3153
> Project: Atlas
>  Issue Type: Improvement
>Affects Versions: 2.0.0
>Reporter: Bolke de Bruin
>Priority: Major
>  Time Spent: 20m
>  Remaining Estimate: 0h
>
> The current SSO implementation with Apache Knox is limiting SSO 
> interoperability to Apache Knox. Knox uses JWT verification which could 
> easily be extended to allow for direct OpenID Connect support and doesn't 
> require organizations to deploy Knox.
> Required changes:
>  * Pickup bearer token from headers
>  * Improve and standardize redirecting
>  * Optionally: obtain certificates from well_known uri
>  * Optionally: obtain user groups from userinfo endpoint rather than UGI



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox

2019-05-28 Thread Sarath Subramanian (JIRA) 


[ 
https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16850056#comment-16850056
 ] 

Sarath Subramanian commented on ATLAS-3153:
---

[~bolke], like Srikanth mentiioned - " a design doc for the use case and the 
arch. and configs needed for Atlas to consume OpenID asserted credentials? 
Perhaps an interaction diagram to explain how this feature will work, the 
actual flow, and configs needed (for example how the user/group mappings are 
fetched) "

> Support OpenID Connect directly rather than through Knox
> 
>
> Key: ATLAS-3153
> URL: https://issues.apache.org/jira/browse/ATLAS-3153
> Project: Atlas
>  Issue Type: Improvement
>Affects Versions: 2.0.0
>Reporter: Bolke de Bruin
>Priority: Major
>  Time Spent: 20m
>  Remaining Estimate: 0h
>
> The current SSO implementation with Apache Knox is limiting SSO 
> interoperability to Apache Knox. Knox uses JWT verification which could 
> easily be extended to allow for direct OpenID Connect support and doesn't 
> require organizations to deploy Knox.
> Required changes:
>  * Pickup bearer token from headers
>  * Improve and standardize redirecting
>  * Optionally: obtain certificates from well_known uri
>  * Optionally: obtain user groups from userinfo endpoint rather than UGI



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox

2019-05-28 Thread Bolke de Bruin (JIRA) 


[ 
https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16850029#comment-16850029
 ] 

Bolke de Bruin commented on ATLAS-3153:
---

[~sarath.ku...@gmail.com] sure, can you explain what you would like to see in 
the design doc? Both OpenID connect and spring security are well understood. 
The roles / groups might be something as they can be obtained from keycloak 
instead of UGI. That’s also pretty straightforward. 

Can you give me some guidance?

> Support OpenID Connect directly rather than through Knox
> 
>
> Key: ATLAS-3153
> URL: https://issues.apache.org/jira/browse/ATLAS-3153
> Project: Atlas
>  Issue Type: Improvement
>Affects Versions: 2.0.0
>Reporter: Bolke de Bruin
>Priority: Major
>  Time Spent: 20m
>  Remaining Estimate: 0h
>
> The current SSO implementation with Apache Knox is limiting SSO 
> interoperability to Apache Knox. Knox uses JWT verification which could 
> easily be extended to allow for direct OpenID Connect support and doesn't 
> require organizations to deploy Knox.
> Required changes:
>  * Pickup bearer token from headers
>  * Improve and standardize redirecting
>  * Optionally: obtain certificates from well_known uri
>  * Optionally: obtain user groups from userinfo endpoint rather than UGI



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox

2019-05-28 Thread Sarath Subramanian (JIRA) 


[ 
https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16850011#comment-16850011
 ] 

Sarath Subramanian commented on ATLAS-3153:
---

[~bolke] can you attach the design doc in the JIRA.

> Support OpenID Connect directly rather than through Knox
> 
>
> Key: ATLAS-3153
> URL: https://issues.apache.org/jira/browse/ATLAS-3153
> Project: Atlas
>  Issue Type: Improvement
>Affects Versions: 2.0.0
>Reporter: Bolke de Bruin
>Priority: Major
>  Time Spent: 20m
>  Remaining Estimate: 0h
>
> The current SSO implementation with Apache Knox is limiting SSO 
> interoperability to Apache Knox. Knox uses JWT verification which could 
> easily be extended to allow for direct OpenID Connect support and doesn't 
> require organizations to deploy Knox.
> Required changes:
>  * Pickup bearer token from headers
>  * Improve and standardize redirecting
>  * Optionally: obtain certificates from well_known uri
>  * Optionally: obtain user groups from userinfo endpoint rather than UGI



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox

2019-05-28 Thread Saqeeb Shaikh (JIRA) 


[ 
https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16849642#comment-16849642
 ] 

Saqeeb Shaikh commented on ATLAS-3153:
--

Thanks for the patch [~bolke]. I have done basic validations with keycloak 
server, it looks good.

> Support OpenID Connect directly rather than through Knox
> 
>
> Key: ATLAS-3153
> URL: https://issues.apache.org/jira/browse/ATLAS-3153
> Project: Atlas
>  Issue Type: Improvement
>Affects Versions: 2.0.0
>Reporter: Bolke de Bruin
>Priority: Major
>  Time Spent: 20m
>  Remaining Estimate: 0h
>
> The current SSO implementation with Apache Knox is limiting SSO 
> interoperability to Apache Knox. Knox uses JWT verification which could 
> easily be extended to allow for direct OpenID Connect support and doesn't 
> require organizations to deploy Knox.
> Required changes:
>  * Pickup bearer token from headers
>  * Improve and standardize redirecting
>  * Optionally: obtain certificates from well_known uri
>  * Optionally: obtain user groups from userinfo endpoint rather than UGI



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox

2019-05-27 Thread Bolke de Bruin (JIRA) 


[ 
https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16849115#comment-16849115
 ] 

Bolke de Bruin commented on ATLAS-3153:
---

Ping?

> Support OpenID Connect directly rather than through Knox
> 
>
> Key: ATLAS-3153
> URL: https://issues.apache.org/jira/browse/ATLAS-3153
> Project: Atlas
>  Issue Type: Improvement
>Affects Versions: 2.0.0
>Reporter: Bolke de Bruin
>Priority: Major
>  Time Spent: 20m
>  Remaining Estimate: 0h
>
> The current SSO implementation with Apache Knox is limiting SSO 
> interoperability to Apache Knox. Knox uses JWT verification which could 
> easily be extended to allow for direct OpenID Connect support and doesn't 
> require organizations to deploy Knox.
> Required changes:
>  * Pickup bearer token from headers
>  * Improve and standardize redirecting
>  * Optionally: obtain certificates from well_known uri
>  * Optionally: obtain user groups from userinfo endpoint rather than UGI



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox

2019-05-23 Thread Bolke de Bruin (JIRA) 


[ 
https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16846470#comment-16846470
 ] 

Bolke de Bruin commented on ATLAS-3153:
---

[~srikvenk] I have already included documentation in the PR (twiki) that 
describes this. Do you want me to extend that?

 

We don't use Azure but the keycloak client should work with any oauth provider 
or (preferred) OpenID Connect (a layer on top of oauth). Azure supports both so 
with proper configuration in keycloak.json and maybe a mapper defined in 
Azure's service definition this should 'just' work. AuthN/Z are then both 
supported. If you disable Hadoop's UGI integration as documented you have 
roles/groups (exclusive this is a limitation of atlas at the moment not of 
keycloak/OpenID)

> Support OpenID Connect directly rather than through Knox
> 
>
> Key: ATLAS-3153
> URL: https://issues.apache.org/jira/browse/ATLAS-3153
> Project: Atlas
>  Issue Type: Improvement
>Affects Versions: 2.0.0
>Reporter: Bolke de Bruin
>Priority: Major
>  Time Spent: 20m
>  Remaining Estimate: 0h
>
> The current SSO implementation with Apache Knox is limiting SSO 
> interoperability to Apache Knox. Knox uses JWT verification which could 
> easily be extended to allow for direct OpenID Connect support and doesn't 
> require organizations to deploy Knox.
> Required changes:
>  * Pickup bearer token from headers
>  * Improve and standardize redirecting
>  * Optionally: obtain certificates from well_known uri
>  * Optionally: obtain user groups from userinfo endpoint rather than UGI



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox

2019-05-22 Thread Srikanth Venkat (JIRA) 


[ 
https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16846433#comment-16846433
 ] 

Srikanth Venkat commented on ATLAS-3153:


[~bolke] This is a good addition. Can you help the community by providing a 
design doc for the use case and the arch. and configs needed for Atlas to 
consume OpenID asserted credentials? Perhaps an interaction diagram to explain 
how this feature will work, the actual flow, and configs needed (for example 
how the user/group mappings are fetched) will be useful to review the patch and 
understand the feature.

Also quick question will a similar mechanism work for Azure AD via OAuth2 
(especially from an authN/authZ perspective) 

> Support OpenID Connect directly rather than through Knox
> 
>
> Key: ATLAS-3153
> URL: https://issues.apache.org/jira/browse/ATLAS-3153
> Project: Atlas
>  Issue Type: Improvement
>Affects Versions: 2.0.0
>Reporter: Bolke de Bruin
>Priority: Major
>  Time Spent: 20m
>  Remaining Estimate: 0h
>
> The current SSO implementation with Apache Knox is limiting SSO 
> interoperability to Apache Knox. Knox uses JWT verification which could 
> easily be extended to allow for direct OpenID Connect support and doesn't 
> require organizations to deploy Knox.
> Required changes:
>  * Pickup bearer token from headers
>  * Improve and standardize redirecting
>  * Optionally: obtain certificates from well_known uri
>  * Optionally: obtain user groups from userinfo endpoint rather than UGI



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (ATLAS-3153) Support OpenID Connect directly rather than through Knox

2019-05-20 Thread Ashutosh Mestry (JIRA) 


[ 
https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16844517#comment-16844517
 ] 

Ashutosh Mestry commented on ATLAS-3153:


Thanks for the patch. It is being reviewed.

> Support OpenID Connect directly rather than through Knox
> 
>
> Key: ATLAS-3153
> URL: https://issues.apache.org/jira/browse/ATLAS-3153
> Project: Atlas
>  Issue Type: Improvement
>Affects Versions: 2.0.0
>Reporter: Bolke de Bruin
>Priority: Major
>  Time Spent: 20m
>  Remaining Estimate: 0h
>
> The current SSO implementation with Apache Knox is limiting SSO 
> interoperability to Apache Knox. Knox uses JWT verification which could 
> easily be extended to allow for direct OpenID Connect support and doesn't 
> require organizations to deploy Knox.
> Required changes:
>  * Pickup bearer token from headers
>  * Improve and standardize redirecting
>  * Optionally: obtain certificates from well_known uri
>  * Optionally: obtain user groups from userinfo endpoint rather than UGI



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)