Re: Multiple Authentication Providers
Yep - that sounds about right, Rick! Will keep an eye out for the patch - we should consider that one for 1.0.0 actually. On Thu, Dec 28, 2017 at 12:09 PM, Rick Kellogg <rmkell...@comcast.net> wrote: > I think I found the root cause of the issue. Within the > DeploymentFactory.collectTopologyProviders > we need to check for enabled before inclusion in downstream processing. > Will test out tomorrow and submit patch if correct. > > --Rick > > -Original Message- > From: larry mccay [mailto:lmc...@apache.org] > Sent: Friday, December 22, 2017 2:04 PM > To: dev@knox.apache.org > Subject: Re: Multiple Authentication Providers > > Interesting > > I think that I have always commented out other providers to switch back > and forth. > Thinking of that deployment factory code, I can imagine this being > entirely true. > > > On Fri, Dec 22, 2017 at 1:58 PM, Rick Kellogg <rmkell...@comcast.net> > wrote: > > > Greetings, > > > > > > > > After spending several days attempting to get HBase working with Knox > > in a Kerberos secured environment, I discovered a crazy bug I want to > > share with you. > > > > > > > > I started with the default topology that included the ShiroProvider. > > I set the enabled value to false and added my HadoopAuth provider > directly below > > it with enabled set to true.This was done so I could easily switch > back > > to the original if required. > > > > > > > > When I finally thought to review the generated deployment artifacts, I > > discovered the gateway.xml file did not include any reference to the > > ShiroFilter or HadoopAuthFilter. As such my subsequent use of the > > identity assertion filter would fail with a missing Subject. > > > > > > > > So basically one can only have a single authentication provider listed > > in the topology. It does not use the first enabled provider. Next > > week, I will research and attempt to suggest some suitable changes or > warnings. > > > > > > > > Thanks everyone for their assistance on this matter. Almost completed > > my HBase integration with Knox and Kerberos. > > > > > > > > Take care, > > > > Rick > > > > > >
RE: Multiple Authentication Providers
I think I found the root cause of the issue. Within the DeploymentFactory.collectTopologyProviders we need to check for enabled before inclusion in downstream processing. Will test out tomorrow and submit patch if correct. --Rick -Original Message- From: larry mccay [mailto:lmc...@apache.org] Sent: Friday, December 22, 2017 2:04 PM To: dev@knox.apache.org Subject: Re: Multiple Authentication Providers Interesting I think that I have always commented out other providers to switch back and forth. Thinking of that deployment factory code, I can imagine this being entirely true. On Fri, Dec 22, 2017 at 1:58 PM, Rick Kellogg <rmkell...@comcast.net> wrote: > Greetings, > > > > After spending several days attempting to get HBase working with Knox > in a Kerberos secured environment, I discovered a crazy bug I want to > share with you. > > > > I started with the default topology that included the ShiroProvider. > I set the enabled value to false and added my HadoopAuth provider directly > below > it with enabled set to true.This was done so I could easily switch back > to the original if required. > > > > When I finally thought to review the generated deployment artifacts, I > discovered the gateway.xml file did not include any reference to the > ShiroFilter or HadoopAuthFilter. As such my subsequent use of the > identity assertion filter would fail with a missing Subject. > > > > So basically one can only have a single authentication provider listed > in the topology. It does not use the first enabled provider. Next > week, I will research and attempt to suggest some suitable changes or > warnings. > > > > Thanks everyone for their assistance on this matter. Almost completed > my HBase integration with Knox and Kerberos. > > > > Take care, > > Rick > >
Re: Multiple Authentication Providers
Interesting I think that I have always commented out other providers to switch back and forth. Thinking of that deployment factory code, I can imagine this being entirely true. On Fri, Dec 22, 2017 at 1:58 PM, Rick Kelloggwrote: > Greetings, > > > > After spending several days attempting to get HBase working with Knox in a > Kerberos secured environment, I discovered a crazy bug I want to share with > you. > > > > I started with the default topology that included the ShiroProvider. I set > the enabled value to false and added my HadoopAuth provider directly below > it with enabled set to true.This was done so I could easily switch back > to the original if required. > > > > When I finally thought to review the generated deployment artifacts, I > discovered the gateway.xml file did not include any reference to the > ShiroFilter or HadoopAuthFilter. As such my subsequent use of the identity > assertion filter would fail with a missing Subject. > > > > So basically one can only have a single authentication provider listed in > the topology. It does not use the first enabled provider. Next week, I > will research and attempt to suggest some suitable changes or warnings. > > > > Thanks everyone for their assistance on this matter. Almost completed my > HBase integration with Knox and Kerberos. > > > > Take care, > > Rick > >