Take a look at KNOX-25 (https://issues.apache.org/jira/browse/KNOX-25) You make have missed it because in the source it is module gateway-provider-security-hadoopauth and the provider name is HadoopAuth. It also isn't fully documented yet as it was really step 1 in trying to support something larger (i.e. distcp) that we haven't made it back to. At any rate, the KNOX-25 jira shows how to configure it.
From: Da Peng DP Huang <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Sunday, March 27, 2016 at 10:55 PM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: Does knox0.7 support kerberos authentication in Shiro provider or SSO provider? Hi Kevin I did not find the Kerberos/SPNego authentication provider in knox0.7, kox0.8 and master branch. Did I miss anything? Thanks Tony [Inactive hide details for Kevin Minder ---03/26/2016 07:22:28---I believe what you are asking may be possible but it may not wo]Kevin Minder ---03/26/2016 07:22:28---I believe what you are asking may be possible but it may not work "out of the box". There is a Kerb From: Kevin Minder <[email protected]<mailto:[email protected]>> To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: 03/26/2016 07:22 Subject: Re: Does knox0.7 support kerberos authentication in Shiro provider or SSO provider? ________________________________ I believe what you are asking may be possible but it may not work "out of the box". There is a Kerberos/SPNego authentication provider currently in Knox. This can probably be used to for the SSO authentication the way you intend between the web browser and Knox. However these kerberos tokens cannot be used to impersonate the user to the back end service. All of the Hadoop services have implemented a trusted proxy model for that. In this model Knox itself (i.e. a knox user) authenticates via Kerberos to the back end service and propagates the effective users' identity to the back end service which is configured to trust that Knox has properly authenticated the user. So as I understand your use case you would need to implement that trusted proxy model in your service. From: Da Peng DP Huang <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Thursday, March 24, 2016 at 12:53 AM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Does knox0.7 support kerberos authentication in Shiro provider or SSO provider? Hi all I noticed Knox has Shiro provider to authenticate requests against LDAP. Does it support kerberos authentication? We have an application deployed/managed as Hadoop service by Ambari.We implemented the Kerberos SSO in our app(Hadoop service), howerver, our kerberos SSO on longer work after proxied by Knox0.7. Our kerberos SSO procedure is like below(Our Hadoop cluster has been secured by kerberos): 1.User kinit a kerberos principal in a Hadoop node machine[This can be done by kinit command in Linux shell]. 2.User config the network.negotiate-auth.trusted-uris and network.negotiate.auth.delegation-uris in web browser. 3.Then user can directly login to our application in UI without being challenged for kerberos principal/credential[Actually the kerberos token and principal are propagated to our application's login module.] Can anyone suggest to resolve the issue? My thought is it is feasible to make our Kerberos SSO work if knox can authenticate against kerberos and pass the token/username to our app. Is this ok? Thanks _________________________________________________________________________________________________ Tony Huang software engineer IBM Big Data & Analytics|Analytic Server Phone: 68030373 E-mail: [email protected]<mailto:[email protected]> [cid:2__=8FBBF517DF9C40E28f9e8a93df938690918c8FB@] [attachment "07077589.gif" deleted by Da Peng DP Huang/China/IBM] [attachment "ecblank.gif" deleted by Da Peng DP Huang/China/IBM]
