[jira] [Work logged] (KNOX-2020) Enhance hadoop-jwt cookie to interact with the AWS ecosystem

[ASF GitHub Bot (Jira)]

     [ 
https://issues.apache.org/jira/browse/KNOX-2020?focusedWorklogId=318407&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-318407
 ]

ASF GitHub Bot logged work on KNOX-2020:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 25/Sep/19 15:34
            Start Date: 25/Sep/19 15:34
    Worklog Time Spent: 10m 
      Work Description: lmccay commented on issue #153: KNOX-2020 - AWS 
federation support added to hadoop-jwt cookie
URL: https://github.com/apache/knox/pull/153#issuecomment-535080439
 
 
   From my comment on JIRA KNOX-2020:
   
   @sharad-oss - this looks interesting!
   I'd actually like to see a one-pager type doc that describes the usecases, 
the design and security considerations. Please attach it to the JIRA itself.
   One thing that I am concerned about is the inclusion of sensitive 
credentials in the JWT based cookie.
   The cookie from KnoxSSO is intended for browsers and generally represents 
the authenticated user but doesn't include credentials. It is essentially in 
clear text since the JWT is merely base64 encoded. This is not sufficient 
protection for credentials that can be used outside of the scope of Knox itself.
   In terms of usecases, I'd like to understand the full flow including 
how/where the credentials are actually used and what consumer will be provided 
in Knox for the credentials.
   
 
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


Issue Time Tracking
-------------------

    Worklog Id:     (was: 318407)
    Time Spent: 3h 50m  (was: 3h 40m)

> Enhance hadoop-jwt cookie to interact with the AWS ecosystem
> ------------------------------------------------------------
>
>                 Key: KNOX-2020
>                 URL: https://issues.apache.org/jira/browse/KNOX-2020
>             Project: Apache Knox
>          Issue Type: New Feature
>          Components: KnoxSSO, Server
>            Reporter: Sharad
>            Priority: Major
>          Time Spent: 3h 50m
>  Remaining Estimate: 0h
>
> It's desirable to access AWS managed services while accessing resources using 
> Apache Knox. AWS provides SAML for federation, and we could enhance the SAML 
> login flow in Knox to interact with AWS, and enhance the hadoop-jwt cookie 
> with AWS credentials. The cookie now gives the gateway to interact with other 
> AWS services like S3, DDB, EC2 etc (as defined by the IDP admin in the AWS 
> Role that gets injected in SAML assertion).



--
This message was sent by Atlassian Jira
(v8.3.4#803005)