[ https://issues.apache.org/jira/browse/KNOX-1155?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16486578#comment-16486578 ]
Larry McCay commented on KNOX-1155: ----------------------------------- Thank you, [~dequanchen] - I will test out the new patch. Since you confirm that Elastic Search is going to do its own authentication, we can actually put the explicit declaration of the Anonymous provider back in. This will assert the authenticated user as "anonymous" to the backend service via a doas query param. We do have to be mindful to make sure that if Elastic Search support kerberos authentication that calls cannot be made by the Knox user. Keep in mind that Knox is a trusted proxy in the Hadoop ecosystem. This means that Knox will authenticate to backend services as itself and assert the authenticated user's identity via a doas param. In the absence of any other credentials in the request, Elastic Search must not just accept the kerberos authentication as the authenticated user. > Knox Gateway Service for ElasticSearch > -------------------------------------- > > Key: KNOX-1155 > URL: https://issues.apache.org/jira/browse/KNOX-1155 > Project: Apache Knox > Issue Type: New Feature > Components: Build, Release > Affects Versions: 0.9.0, 0.9.1, 0.10.0, 0.11.0 > Environment: Knox Gateway Servers > Reporter: Dequan Chen > Assignee: Dequan Chen > Priority: Critical > Labels: patch > Fix For: 1.1.0 > > Attachments: KNOX-1155-001.patch, KNOX-1155-002.patch, rewrite.xml, > service.xml > > Original Estimate: 1h > Remaining Estimate: 1h > > We have used a lot of Knox Gateway Services and ElasticSearch service on our > Big Data platforms. However there are no Knox Gateway Service for > ElasticSearch yet. In our situation, we need such a Knox Gateway Service for > ElasticSearch without Knox to do the … > authentication but ElasticSearch Rest Server(s) to do the authentication. As > per our use case, we have developed such a Knox Gateway ElasticSearch Service > (services/elasticsearch/1.0.0), and we are in a mode to share the code to the > Apache Knox community because it has been fully tested for the following > scenarios: > (1) No-LDAP, Local-LDAP or company-specific-LDAP authentication in the Knox > gateway; > (2) Any Elasitcsearch Index - creation, deletion, refresshing and data - > writing, updating and retrieval; > (3) Elasticsearch node root query. -- This message was sent by Atlassian JIRA (v7.6.3#76005)