Hi, I'm trying to collate my options and gather some examples on how to have Knox set up in front of a Custom REST API in a Kerberised Cluster. As an example, the custom rest api would be running queries against an HBase server. We'd like the user outside the cluster that is authenticated with Knox (users are in Active Directory so need this set up too) to be used when querying HBase (HBase authorised by Ranger and we have SSSD/User sync configured).
Am I correct in understanding that Knox by default will add a doAs request parameter for the authenticated user when configured in a kerberised cluster that can then be used by the service? I'm a little uncomfortable with that just being it though, as then obviously anything inside the cluster with access to the service can pretend to be anyone. What are my options for making this a bit more robust? >From previous reading through the Knox mailing list it seems I can use >something in the hadoop-auth package, would anyone have any further details or >an example of that? Is it possible for Knox to authenticate and obtain a >delegation token (so as to not have to perform SPNEGO again at Custom REST >API) and add it to the request, and then have the custom API validate this >token securely? I'm assuming this then will add the need for HTTPS comms >internally in the cluster to protect the token? Cheers, Tom Ellis [email protected] Lloyds Banking Group plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC95000. Telephone: 0131 225 4555. Lloyds Bank plc. Registered Office: 25 Gresham Street, London EC2V 7HN. Registered in England and Wales no. 2065. Telephone 0207626 1500. Bank of Scotland plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC327000. Telephone: 03457 801 801. Cheltenham & Gloucester plc. Registered Office: Barnett Way, Gloucester GL4 3RL. Registered in England and Wales 2299428. Telephone: 0345 603 1637 Lloyds Bank plc, Bank of Scotland plc are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and Prudential Regulation Authority. Cheltenham & Gloucester plc is authorised and regulated by the Financial Conduct Authority. Halifax is a division of Bank of Scotland plc. Cheltenham & Gloucester Savings is a division of Lloyds Bank plc. HBOS plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC218813. This e-mail (including any attachments) is private and confidential and may contain privileged material. If you have received this e-mail in error, please notify the sender and delete it (including any attachments) immediately. You must not copy, distribute, disclose or use any of the information in it or any attachments. Telephone calls may be monitored or recorded.
