Re: Multiple Authentication Providers

2017-12-28 Thread larry mccay 
Yep - that sounds about right, Rick!
Will keep an eye out for the patch - we should consider that one for 1.0.0
actually.

On Thu, Dec 28, 2017 at 12:09 PM, Rick Kellogg <rmkell...@comcast.net>
wrote:

> I think I found the root cause of the issue.  Within the 
> DeploymentFactory.collectTopologyProviders
> we need to check for enabled before inclusion in downstream processing.
> Will test out tomorrow and submit patch if correct.
>
> --Rick
>
> -Original Message-
> From: larry mccay [mailto:lmc...@apache.org]
> Sent: Friday, December 22, 2017 2:04 PM
> To: dev@knox.apache.org
> Subject: Re: Multiple Authentication Providers
>
> Interesting
>
> I think that I have always commented out other providers to switch back
> and forth.
> Thinking of that deployment factory code, I can imagine this being
> entirely true.
>
>
> On Fri, Dec 22, 2017 at 1:58 PM, Rick Kellogg <rmkell...@comcast.net>
> wrote:
>
> > Greetings,
> >
> >
> >
> > After spending several days attempting to get HBase working with Knox
> > in a Kerberos secured environment, I discovered a crazy bug I want to
> > share with you.
> >
> >
> >
> > I started with the default topology that included the ShiroProvider.
> > I set the enabled value to false and added my HadoopAuth provider
> directly below
> > it with enabled set to true.This was done so I could easily switch
> back
> > to the original if required.
> >
> >
> >
> > When I finally thought to review the generated deployment artifacts, I
> > discovered the gateway.xml file did not include any reference to the
> > ShiroFilter or HadoopAuthFilter.  As such my subsequent use of the
> > identity assertion filter would fail with a missing Subject.
> >
> >
> >
> > So basically one can only have a single authentication provider listed
> > in the topology.  It does not use the first enabled provider.  Next
> > week, I will research and attempt to suggest some suitable changes or
> warnings.
> >
> >
> >
> > Thanks everyone for their assistance on this matter.  Almost completed
> > my HBase integration with Knox and Kerberos.
> >
> >
> >
> > Take care,
> >
> > Rick
> >
> >
>
>

RE: Multiple Authentication Providers

2017-12-28 Thread Rick Kellogg 
I think I found the root cause of the issue.  Within the 
DeploymentFactory.collectTopologyProviders we need to check for enabled before 
inclusion in downstream processing.  Will test out tomorrow and submit patch if 
correct.

--Rick

-Original Message-
From: larry mccay [mailto:lmc...@apache.org] 
Sent: Friday, December 22, 2017 2:04 PM
To: dev@knox.apache.org
Subject: Re: Multiple Authentication Providers

Interesting

I think that I have always commented out other providers to switch back and 
forth.
Thinking of that deployment factory code, I can imagine this being entirely 
true.


On Fri, Dec 22, 2017 at 1:58 PM, Rick Kellogg <rmkell...@comcast.net> wrote:

> Greetings,
>
>
>
> After spending several days attempting to get HBase working with Knox 
> in a Kerberos secured environment, I discovered a crazy bug I want to 
> share with you.
>
>
>
> I started with the default topology that included the ShiroProvider.  
> I set the enabled value to false and added my HadoopAuth provider directly 
> below
> it with enabled set to true.This was done so I could easily switch back
> to the original if required.
>
>
>
> When I finally thought to review the generated deployment artifacts, I 
> discovered the gateway.xml file did not include any reference to the 
> ShiroFilter or HadoopAuthFilter.  As such my subsequent use of the 
> identity assertion filter would fail with a missing Subject.
>
>
>
> So basically one can only have a single authentication provider listed 
> in the topology.  It does not use the first enabled provider.  Next 
> week, I will research and attempt to suggest some suitable changes or 
> warnings.
>
>
>
> Thanks everyone for their assistance on this matter.  Almost completed 
> my HBase integration with Knox and Kerberos.
>
>
>
> Take care,
>
> Rick
>
>

Re: Multiple Authentication Providers

2017-12-22 Thread larry mccay 
Interesting

I think that I have always commented out other providers to switch back and
forth.
Thinking of that deployment factory code, I can imagine this being entirely
true.


On Fri, Dec 22, 2017 at 1:58 PM, Rick Kellogg  wrote:

> Greetings,
>
>
>
> After spending several days attempting to get HBase working with Knox in a
> Kerberos secured environment, I discovered a crazy bug I want to share with
> you.
>
>
>
> I started with the default topology that included the ShiroProvider.  I set
> the enabled value to false and added my HadoopAuth provider directly below
> it with enabled set to true.This was done so I could easily switch back
> to the original if required.
>
>
>
> When I finally thought to review the generated deployment artifacts, I
> discovered the gateway.xml file did not include any reference to the
> ShiroFilter or HadoopAuthFilter.  As such my subsequent use of the identity
> assertion filter would fail with a missing Subject.
>
>
>
> So basically one can only have a single authentication provider listed in
> the topology.  It does not use the first enabled provider.  Next week, I
> will research and attempt to suggest some suitable changes or warnings.
>
>
>
> Thanks everyone for their assistance on this matter.  Almost completed my
> HBase integration with Knox and Kerberos.
>
>
>
> Take care,
>
> Rick
>
>