[jira] [Commented] (KNOX-1155) Knox Gateway Service for ElasticSearch

Tue, 22 May 2018 18:45:26 -0700 

    [ 
https://issues.apache.org/jira/browse/KNOX-1155?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16486578#comment-16486578
 ] 

Larry McCay commented on KNOX-1155:
-----------------------------------

Thank you, [~dequanchen] - I will test out the new patch. Since you confirm 
that Elastic Search is going to do its own authentication, we can actually put 
the explicit declaration of the Anonymous provider back in. This will assert 
the authenticated user as "anonymous" to the backend service via a doas query 
param.

We do have to be mindful to make sure that if Elastic Search support kerberos 
authentication that calls cannot be made by the Knox user. Keep in mind that 
Knox is a trusted proxy in the Hadoop ecosystem. This means that Knox will 
authenticate to backend services as itself and assert the authenticated user's 
identity via a doas param. In the absence of any other credentials in the 
request, Elastic Search must not just accept the kerberos authentication as the 
authenticated user.

> Knox Gateway Service for ElasticSearch
> --------------------------------------
>
>                 Key: KNOX-1155
>                 URL: https://issues.apache.org/jira/browse/KNOX-1155
>             Project: Apache Knox
>          Issue Type: New Feature
>          Components: Build, Release
>    Affects Versions: 0.9.0, 0.9.1, 0.10.0, 0.11.0
>         Environment: Knox Gateway Servers
>            Reporter: Dequan Chen
>            Assignee: Dequan Chen
>            Priority: Critical
>              Labels: patch
>             Fix For: 1.1.0
>
>         Attachments: KNOX-1155-001.patch, KNOX-1155-002.patch, rewrite.xml, 
> service.xml
>
>   Original Estimate: 1h
>  Remaining Estimate: 1h
>
> We have used a lot of Knox Gateway Services and ElasticSearch service on our 
> Big Data platforms. However there are no Knox Gateway Service for 
> ElasticSearch yet.  In our situation, we need such a Knox Gateway Service for 
> ElasticSearch without Knox to do the …
> authentication but ElasticSearch Rest Server(s) to do the authentication. As 
> per our use case, we have developed such a Knox Gateway ElasticSearch Service 
> (services/elasticsearch/1.0.0), and we are in a mode to share the code to the 
> Apache Knox community because it has been fully tested for the following 
> scenarios:
> (1)   No-LDAP, Local-LDAP or company-specific-LDAP authentication in the Knox 
> gateway;
> (2)   Any Elasitcsearch Index - creation, deletion, refresshing and data - 
> writing, updating and retrieval;
> (3)   Elasticsearch node root query.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to