[
https://issues.apache.org/jira/browse/KNOX-2020?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16970548#comment-16970548
]
Sharad K commented on KNOX-2020:
--------------------------------
Thanks [~lmccay] for the detailed feedback. I am fine either ways - being in
KIP and/or moving this to 1.5.0.
One idea which I've been thinking about is this use case
* A tool that lets users extract their SAMLResponse (still just talking to IDP
much like what kinit does). This would need some work across IDP (ADFS,
PingIdentity-WS-Trust, SAML ECP for Shibboleth, Form based authentication would
essentially work for most IDPs though it's not preferred way). POST this to
Knox SSO endpoint and in process Cloud credentials are generated.
* Pluggable Cloud credential delivery - could be to a Hadoop credentials file
(and not in the cookie) in HDFS. Requires permissions in Knox process to do
this, (and Kerberos for HDFS security).
* From there this would work "hadoop fs \
-D
hadoop.security.credential.provider.path=jceks://[email protected]:9001/user/backup/s3.jceks
\
-ls s3a://glacier1/"
> Enhance hadoop-jwt cookie to interact with the AWS ecosystem
> ------------------------------------------------------------
>
> Key: KNOX-2020
> URL: https://issues.apache.org/jira/browse/KNOX-2020
> Project: Apache Knox
> Issue Type: New Feature
> Components: KnoxSSO, Server
> Reporter: Sharad K
> Priority: Major
> Attachments: AWS Federation in Knox.docx
>
> Time Spent: 6h 50m
> Remaining Estimate: 0h
>
> It's desirable to access AWS managed services while accessing resources using
> Apache Knox. AWS provides SAML for federation, and we could enhance the SAML
> login flow in Knox to interact with AWS, and enhance the hadoop-jwt cookie
> with AWS credentials. The cookie now gives the gateway to interact with other
> AWS services like S3, DDB, EC2 etc (as defined by the IDP admin in the AWS
> Role that gets injected in SAML assertion).
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
