[ 
https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16855675#comment-16855675
 ] 

Saqeeb Shaikh commented on ATLAS-3153:
--------------------------------------

[~bolke],

I tested the patch on HDP cluster with kerberos ON, encountered issues while 
forwarding the request to keycloak challenge page. The same setup on local 
(without kerberos ON) works well. Attached logs and keycloak.json. Can you 
please verify this setup on your end with kerberos ON.

PFA [^keycloak.json]  [^application.log]

^cc:[~madhan.neethiraj]^

 

> Support OpenID Connect directly rather than through Knox
> --------------------------------------------------------
>
>                 Key: ATLAS-3153
>                 URL: https://issues.apache.org/jira/browse/ATLAS-3153
>             Project: Atlas
>          Issue Type: Improvement
>          Components:  atlas-core, atlas-webui
>    Affects Versions: 2.0.0
>            Reporter: Bolke de Bruin
>            Priority: Major
>              Labels: authentication, authorization
>         Attachments: 0001-ATLAS-3153-Add-keycloak-authentication.patch, 
> application.log, keycloak.json, openid_connect_atlas.md
>
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> The current SSO implementation with Apache Knox is limiting SSO 
> interoperability to Apache Knox. Knox uses JWT verification which could 
> easily be extended to allow for direct OpenID Connect support and doesn't 
> require organizations to deploy Knox.
> Required changes:
>  * Pickup bearer token from headers
>  * Improve and standardize redirecting
>  * Optionally: obtain certificates from well_known uri
>  * Optionally: obtain user groups from userinfo endpoint rather than UGI



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to