Hi - I am the Apache Knox PMC chair and a committer on Hadoop and other ecosystem projects.
FYI, Apache Knox is indeed dependent on SPNEGO in httpclient. Knox is a Hadoop ecosystem gateway and as part of the trusted proxy or proxyuser pattern within Hadoop it requires all proxies that dispatch requests on behalf of other users to authenticate via Kerberos/SPNEGO. Knox is not the only proxyuser in the ecosystem and likely not the only one that is leveraging HttpClient this way. It is used within a huge number of Hadoop deployments both on-prem and in the cloud and SPNEGO is critical to the security of these deployments. We are currently on 4.5.13 for HttpClient. A backward compatible path forward here is going to be needed and I'd be happy to help out however I can. thanks, --larry On Sat, Nov 20, 2021 at 2:08 PM Michael Osipov <micha...@apache.org> wrote: > Am 2021-11-20 um 19:35 schrieb Oleg Kalnichevski: > > On Sat, 2021-11-20 at 12:25 -0500, Karl Wright wrote: > >> These protocols are, unfortunately, still used. > >> > >> However, the projects I know that use them have not yet moved to 5.x > >> of > >> httpcomponents. Other projects I know of that used to use > >> httpcomponents > >> have since upgraded to different http libraries that supported http > >> 2.0 > >> early on. > >> > >> The hint that all it takes is a shove from below to convince other > >> projects > >> to drop NTLM support is, perhaps, not accurate. Projects that > >> maintain > >> NTLM support do so because they are tied to legacy systems that use > >> it. > >> Later improvements, e.g. Kerberos, have also only lightly been > >> supported by > >> HttpComponents, and only with external configuration, which really > >> limits > >> its utility. ManifoldCF, which does much integration with windows > >> systems, supports Kerberos but only in the most hacky way, because > >> there > >> wasn't anything more seamless available. > >> > >> I would therefore counter-propose that Kerberos become a first-class > >> replacement to NTLM before NTLM is discontinued. By first-class, I > >> mean > >> that it is possible to programmatically set up a kerberos connection > >> without an external config file. Maybe this is now possible; if so > >> please > >> correct me. > >> > >> I would love to be able to contribute to this effort, but I fear my > >> day > >> job's responsibilities are so vast and growing that this will be > >> impossible. At best I can maintain the projects I have; new > >> development is > >> out of the question at the moment. > >> > >> Karl > >> > > > > Hi Karl > > > > I am so happy that you are still keeping an eye on the mailing list and > > reacting on NTLM related matters. > > > > I do understand your position. The problem is there are no volunteers > > eager to do work on Kerberos support either. We cannot keep on > > pretending everything is all right. We need to make downstream projects > > aware of the situation and making NTLM, SPNEGO and Kerberos an opt-in > > features by default would be the right thing to do in my opinion. > > FWIW, I have explicitly configured auth schemes in Wagon to those known > to work (except NTLM): https://issues.apache.org/jira/browse/WAGON-539 > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org > For additional commands, e-mail: dev-h...@hc.apache.org > >
