Hi Tony - The hadoop-jwt cookie is presented by browsers to UI applications that are participating in KnoxSSO. Participating in KnoxSSO means that those applications have integrations for verifying the presented cookie similar to what is described in the dev-guide for KnoxSSO integration.
Now, we do have another provider that needs to be documented on its own called the SSOCookieProvider. This can be configured as the federation provider in a topology and will verify the presented cookie before proxying the request to the backend service. This usecase is generally only useful for web applications that are consuming Hadoop REST APIs through Knox. It does however cover exactly what you are asking about. If there is a presented hadoop-jwt cookie Knox will validate the cookie and dispatch the request to the backend service on behalf of the authenticated user without the service ever having to know about KnoxSSO or the cookie. I've also added an authenticationHandler to Hadoop to validate the hadoop-jwt cookie but that isn't really intended for the REST APIs but for the UI webapps for the various components. Since cookies are much more a webapp token than they are a REST API standard and there are many clients that would break if you changed the authentication of the REST APIs out from under them, we only put that handler in place for the UIs. Hope that makes sense. I will be adding additional config for the SSOCookieProvider in the next couple days. thanks, --larry On Thu, Mar 24, 2016 at 8:45 PM, hdp <[email protected]> wrote: > Hi Larry > What is the hadoop-jwt token used for after configured knoxSSO? > Does the service proxied by knox need to verify that hadoop-jwt token to > let the user login without challenging again? > I did not see how the services proxied by knox benefit from such "SSO" > from the current Dev guide's knoxSSO integration guide. Did I miss > anything? > > Thanks > Tony > > > At 2016-03-24 21:25:50, "larry mccay" <[email protected]> wrote: > > Yes, that is correct. > > It is a protection against being redirected to pages that may do something > malicious like phishing, etc. > That should be documented in the users guide: > http://knox.apache.org/books/knox-0-8-0/user-guide.html#KnoxSSO+Configuration+Parameters > > > On Thu, Mar 24, 2016 at 12:58 AM, hdp <[email protected]> wrote: > >> I also found that *knoxsso.redirect.whitelist.regex * should be configed >> in knoxSSO else it can only try to redirect to localhost, which make it >> impossible to reference in a production usage. >> >> Thanks >> Tony >> >> >> >> At 2016-03-23 09:58:04, "larry mccay" <[email protected]> wrote: >> >> Yes, that typo has to be fixed as well. >> That class is in the Hadoop code based and is shown as an example of how >> to configure the Hadoop UIs to accept the SSO cookie created by KnoxSSO. It >> will be in the Hadoop 2.8 release and is also available on trunk. >> >> It can be used as an example of a filter for integration. >> >> You can also use the SSOCookieProvider which is discussed in the dev >> guide. >> >> The documentation for 0.7/8/9.0 have been updated to fix what you pointed >> out. >> >> I will be circling back to fix the typos and rendering issues with all of >> the apostrophes as well. >> >> On Tue, Mar 22, 2016 at 9:19 PM, hdp <[email protected]> wrote: >> >>> Hi Larry >>> Thanks for updating the document for knox0.7. Please also note that knox >>> 0.8 document has same issue. >>> >>> And I found the following in knox0.7 KnoxSSO+Integration: >>> >>> <value>org.apache.hadoop/security.authentication/server.JWTRedirectAuthenticationHandler</value> >>> >>> Is this a typo? It should be >>> org.apache.hadoop.security.authentication.server.JWTRedirectAuthenticationHandler? >>> I did not found the class of JWTRedirectAuthenticationHandler in knox >>> 0.7 lib and its dependency, hadoop-auth-2.2.0.jar ; neither knox0.8. >>> >>> Thanks >>> >>> >>> >>> >>> At 2016-03-23 00:14:38, "larry mccay" <[email protected]> wrote: >>> >>> Hi Tony - >>> >>> Please see: >>> http://knox.apache.org/books/knox-0-7-0/dev-guide.html#KnoxSSO+Integration >>> for the missing documentation. >>> >>> I will need to circle back and some content rendering and review the >>> docs again very closely but this should provide you with an overview of >>> integrating applications with KnoxSSO. >>> >>> thanks, >>> >>> --larry >>> >>> On Tue, Mar 22, 2016 at 8:55 AM, larry mccay <[email protected]> wrote: >>> >>>> Hi Tony - >>>> >>>> I will take a look at the docs and get the missing information added - >>>> thank you for pointing it out. >>>> >>>> If you provide some information regarding exactly what you are looking >>>> to accomplish, I can give you more specific instructions. >>>> >>>> Thanks, >>>> >>>> --larry >>>> >>>> On Tue, Mar 22, 2016 at 4:53 AM, hdp <[email protected]> wrote: >>>> >>>>> How can I make knox 0.7 SSO work? >>>>> The user's guide (KnoxSSO Setup and Configuration ->Introduction) says >>>>> "We also provide integration guidance within the developers guide for >>>>> other >>>>> applications to be able to participate in these SSO capabilities." . But >>>>> I >>>>> did not find the how to make application participate in SSO in the >>>>> developer's guide. >>>>> >>>>> The use's guide also says "[Please see the integration guide for >>>>> instructions in adding support for new applications.] >>>>> " . I did not the integration guide either. >>>>> >>>>> Can some one give a workable example for setting up knox -SSO? >>>>> >>>>> Thanks >>>>> Tony Huang >>>>> >>>>> >>>>> >>>>> >>>> >>>> >>> >>> >>> >>> >> >> >> >> >> > > > > >
