[jira] [Reopened] (AMBARI-18406) Create authentication filter to perform Kerberos authentication for Ambari
[
https://issues.apache.org/jira/browse/AMBARI-18406?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robert Levas reopened AMBARI-18406:
---
> Create authentication filter to perform Kerberos authentication for Ambari
> --
>
> Key: AMBARI-18406
> URL: https://issues.apache.org/jira/browse/AMBARI-18406
> Project: Ambari
> Issue Type: Task
> Components: ambari-server
>Affects Versions: 2.5.0
>Reporter: Robert Levas
>Assignee: Robert Levas
> Labels: authentication, kerberos, security
> Fix For: 2.5.0
>
> Attachments: AMBARI-18406_branch-2.5_01.patch,
> AMBARI-18406_branch-2.5_02.patch, AMBARI-18406_branch-2.5_03.patch,
> AMBARI-18406_trunk_01.patch, AMBARI-18406_trunk_02.patch,
> AMBARI-18406_trunk_03.patch, AMBARI-18406_trunk_03_ammended.patch
>
>
> Users should be able to authenticate to use Ambari by providing a Kerberos
> token using SPNEGO - Simple and Protected GSSAPI Negotiation Mechanism. This
> includes access to the Ambari REST API as well as the Ambari web-based UI.
> The implementation should support the ability to perform the full SPNEGO
> handshake as well as access requests directly providing the appropriate HTTP
> header containing the Kerberos token. For example:
> {noformat}
> Authorization: Negotiate YIICcgY...r/vJcLO
> {noformat}
> In the full handshake model
> # The client requests access to a web resource
> # The server responds with an HTTP 401 status ({{Unauthorized}}), including
> the header {{WWW-Authenticate: Negotiate}}
> # The client generates the Kerberos data and creates a new request containing
> the authentication header - {{Authorization: Negotiate YIICcgY...r/vJcLO}}
> Since Ambari needs to generally return a HTTP status of 403 ({{Forbidden}})
> when authentication is needed, a _hint_ must be sent along with the request
> indicate to Ambari that Kerberos authentication is desired. If this _hint_
> is received, then Ambari will respond with the appropriate status and header
> to initiate SPNEGO with the client. This _hint_ is an Ambari-specific header
> named "X-Negotiate-Authentication" with the value of "true":
> {noformat}
> X-Negotiate-Authentication: true
> {noformat}
> No matter what the handshake mechanism is (or lack of), once the Kerberos
> token is received by Ambari, Ambari is to parse and validate the token. If a
> failure occurs, Ambari is to respond with the appropriate HTTP status and
> related header(s). Upon success, the user's principal name is retrieved and
> converted into a _local_ user name. The use of an auth-to-local rule set
> processor may be needed to perform this translation. Using this _local_
> username, an appropriate Ambari user account is located and used as the
> authenticated users identity - details, privileges, etc Failure to find
> an appropriate Ambari user account is to result in an authentication failure
> response.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Reopened] (AMBARI-18406) Create authentication filter to perform Kerberos authentication for Ambari
[
https://issues.apache.org/jira/browse/AMBARI-18406?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robert Levas reopened AMBARI-18406:
---
Reopened to fix a unit test
> Create authentication filter to perform Kerberos authentication for Ambari
> --
>
> Key: AMBARI-18406
> URL: https://issues.apache.org/jira/browse/AMBARI-18406
> Project: Ambari
> Issue Type: Task
> Components: ambari-server
>Affects Versions: 2.5.0
>Reporter: Robert Levas
>Assignee: Robert Levas
> Labels: authentication, kerberos, security
> Fix For: 2.5.0
>
> Attachments: AMBARI-18406_branch-2.5_01.patch,
> AMBARI-18406_branch-2.5_02.patch, AMBARI-18406_trunk_01.patch,
> AMBARI-18406_trunk_02.patch
>
>
> Users should be able to authenticate to use Ambari by providing a Kerberos
> token using SPNEGO - Simple and Protected GSSAPI Negotiation Mechanism. This
> includes access to the Ambari REST API as well as the Ambari web-based UI.
> The implementation should support the ability to perform the full SPNEGO
> handshake as well as access requests directly providing the appropriate HTTP
> header containing the Kerberos token. For example:
> {noformat}
> Authorization: Negotiate YIICcgY...r/vJcLO
> {noformat}
> In the full handshake model
> # The client requests access to a web resource
> # The server responds with an HTTP 401 status ({{Unauthorized}}), including
> the header {{WWW-Authenticate: Negotiate}}
> # The client generates the Kerberos data and creates a new request containing
> the authentication header - {{Authorization: Negotiate YIICcgY...r/vJcLO}}
> Since Ambari needs to generally return a HTTP status of 403 ({{Forbidden}})
> when authentication is needed, a _hint_ must be sent along with the request
> indicate to Ambari that Kerberos authentication is desired. If this _hint_
> is received, then Ambari will respond with the appropriate status and header
> to initiate SPNEGO with the client. This _hint_ is an Ambari-specific header
> named "X-Negotiate-Authentication" with the value of "true":
> {noformat}
> X-Negotiate-Authentication: true
> {noformat}
> No matter what the handshake mechanism is (or lack of), once the Kerberos
> token is received by Ambari, Ambari is to parse and validate the token. If a
> failure occurs, Ambari is to respond with the appropriate HTTP status and
> related header(s). Upon success, the user's principal name is retrieved and
> converted into a _local_ user name. The use of an auth-to-local rule set
> processor may be needed to perform this translation. Using this _local_
> username, an appropriate Ambari user account is located and used as the
> authenticated users identity - details, privileges, etc Failure to find
> an appropriate Ambari user account is to result in an authentication failure
> response.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
