Hi, we are using Knox on a Kerberized cluster to secure access a RESTful Java application. We know the user making the request is authenticated against Kerberos in Knox, but is the resulting ticket then passed on with the request? We believe there is a security issue in our app where we do not authenticate the 'doAs' user supplied by Knox. From inside the cluster, a malicious actor may in theory supply any value for this parameter in their request and be granted the same access as that user.
So, is the Kerberos ticket passed on that our service could then authenticate? Or do we just assume that the Kerberos authentication is a one-time job that happens in the Knox gateway? Best Regards, Adam -- *We're hiring!* Please check out our current positions *here* <https://www.bigdatapartnership.com/careers/>*.* ------------------------------ *NOTICE AND DISCLAIMER* This email (including attachments) is confidential. If you are not the intended recipient, notify the sender immediately, delete this email from your system and do not disclose or use for any purpose. Business Address: Eagle House, 163 City Road, London, EC1V 1NR. United Kingdom Registered Office: Finsgate, 5-7 Cranwood Street, London, EC1V 9EE. United Kingdom Big Data Partnership Limited is a company registered in England & Wales with Company No 7904824
