This link has documentation for the SSOCookieProvider within the context of the pac4j provider:
http://knox.apache.org/books/knox-0-8-0/user-guide.html#SSO+topology On Thu, Mar 24, 2016 at 10:22 PM, larry mccay <[email protected]> wrote: > Hi Tony - > > The hadoop-jwt cookie is presented by browsers to UI applications that are > participating in KnoxSSO. > Participating in KnoxSSO means that those applications have integrations > for verifying the presented cookie similar to what is described in the > dev-guide for KnoxSSO integration. > > Now, we do have another provider that needs to be documented on its own > called the SSOCookieProvider. This can be configured as the federation > provider in a topology and will verify the presented cookie before proxying > the request to the backend service. > > This usecase is generally only useful for web applications that are > consuming Hadoop REST APIs through Knox. It does however cover exactly what > you are asking about. If there is a presented hadoop-jwt cookie Knox will > validate the cookie and dispatch the request to the backend service on > behalf of the authenticated user without the service ever having to know > about KnoxSSO or the cookie. > > I've also added an authenticationHandler to Hadoop to validate the > hadoop-jwt cookie but that isn't really intended for the REST APIs but for > the UI webapps for the various components. Since cookies are much more a > webapp token than they are a REST API standard and there are many clients > that would break if you changed the authentication of the REST APIs out > from under them, we only put that handler in place for the UIs. > > Hope that makes sense. > > I will be adding additional config for the SSOCookieProvider in the next > couple days. > > thanks, > > --larry > > On Thu, Mar 24, 2016 at 8:45 PM, hdp <[email protected]> wrote: > >> Hi Larry >> What is the hadoop-jwt token used for after configured knoxSSO? >> Does the service proxied by knox need to verify that hadoop-jwt token to >> let the user login without challenging again? >> I did not see how the services proxied by knox benefit from such "SSO" >> from the current Dev guide's knoxSSO integration guide. Did I miss >> anything? >> >> Thanks >> Tony >> >> >> At 2016-03-24 21:25:50, "larry mccay" <[email protected]> wrote: >> >> Yes, that is correct. >> >> It is a protection against being redirected to pages that may do >> something malicious like phishing, etc. >> That should be documented in the users guide: >> http://knox.apache.org/books/knox-0-8-0/user-guide.html#KnoxSSO+Configuration+Parameters >> >> >> On Thu, Mar 24, 2016 at 12:58 AM, hdp <[email protected]> wrote: >> >>> I also found that *knoxsso.redirect.whitelist.regex * should be >>> configed in knoxSSO else it can only try to redirect to localhost, which >>> make it impossible to reference in a production usage. >>> >>> Thanks >>> Tony >>> >>> >>> >>> At 2016-03-23 09:58:04, "larry mccay" <[email protected]> wrote: >>> >>> Yes, that typo has to be fixed as well. >>> That class is in the Hadoop code based and is shown as an example of how >>> to configure the Hadoop UIs to accept the SSO cookie created by KnoxSSO. It >>> will be in the Hadoop 2.8 release and is also available on trunk. >>> >>> It can be used as an example of a filter for integration. >>> >>> You can also use the SSOCookieProvider which is discussed in the dev >>> guide. >>> >>> The documentation for 0.7/8/9.0 have been updated to fix what you >>> pointed out. >>> >>> I will be circling back to fix the typos and rendering issues with all >>> of the apostrophes as well. >>> >>> On Tue, Mar 22, 2016 at 9:19 PM, hdp <[email protected]> wrote: >>> >>>> Hi Larry >>>> Thanks for updating the document for knox0.7. Please also note that >>>> knox 0.8 document has same issue. >>>> >>>> And I found the following in knox0.7 KnoxSSO+Integration: >>>> >>>> <value>org.apache.hadoop/security.authentication/server.JWTRedirectAuthenticationHandler</value> >>>> >>>> Is this a typo? It should be >>>> org.apache.hadoop.security.authentication.server.JWTRedirectAuthenticationHandler? >>>> I did not found the class of JWTRedirectAuthenticationHandler in knox >>>> 0.7 lib and its dependency, hadoop-auth-2.2.0.jar ; neither knox0.8. >>>> >>>> Thanks >>>> >>>> >>>> >>>> >>>> At 2016-03-23 00:14:38, "larry mccay" <[email protected]> wrote: >>>> >>>> Hi Tony - >>>> >>>> Please see: >>>> http://knox.apache.org/books/knox-0-7-0/dev-guide.html#KnoxSSO+Integration >>>> for the missing documentation. >>>> >>>> I will need to circle back and some content rendering and review the >>>> docs again very closely but this should provide you with an overview of >>>> integrating applications with KnoxSSO. >>>> >>>> thanks, >>>> >>>> --larry >>>> >>>> On Tue, Mar 22, 2016 at 8:55 AM, larry mccay <[email protected]> wrote: >>>> >>>>> Hi Tony - >>>>> >>>>> I will take a look at the docs and get the missing information added - >>>>> thank you for pointing it out. >>>>> >>>>> If you provide some information regarding exactly what you are looking >>>>> to accomplish, I can give you more specific instructions. >>>>> >>>>> Thanks, >>>>> >>>>> --larry >>>>> >>>>> On Tue, Mar 22, 2016 at 4:53 AM, hdp <[email protected]> wrote: >>>>> >>>>>> How can I make knox 0.7 SSO work? >>>>>> The user's guide (KnoxSSO Setup and Configuration ->Introduction) >>>>>> says "We also provide integration guidance within the developers guide >>>>>> for >>>>>> other applications to be able to participate in these SSO capabilities." >>>>>> . >>>>>> But I did not find the how to make application participate in SSO in the >>>>>> developer's guide. >>>>>> >>>>>> The use's guide also says "[Please see the integration guide for >>>>>> instructions in adding support for new applications.] >>>>>> " . I did not the integration guide either. >>>>>> >>>>>> Can some one give a workable example for setting up knox -SSO? >>>>>> >>>>>> Thanks >>>>>> Tony Huang >>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>> >>>> >>>> >>>> >>> >>> >>> >>> >>> >> >> >> >> >> > >
