[jira] [Work logged] (KNOX-3096) Remote Authentication Provider for Levaraging other Knox Instances

Mon, 24 Feb 2025 21:23:41 -0800 


     [ 
https://issues.apache.org/jira/browse/KNOX-3096?focusedWorklogId=958614&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-958614
 ]

ASF GitHub Bot logged work on KNOX-3096:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 25/Feb/25 05:22
            Start Date: 25/Feb/25 05:22
    Worklog Time Spent: 10m 
      Work Description: lmccay commented on PR #994:
URL: https://github.com/apache/knox/pull/994#issuecomment-2680573341

   I will follow up with another change to chain the correlation id's across 
the local and remote knox instances. I want to get this in and make progress on 
it first.




Issue Time Tracking
-------------------

    Worklog Id:     (was: 958614)
    Time Spent: 20m  (was: 10m)

> Remote Authentication Provider for Levaraging other Knox Instances
> ------------------------------------------------------------------
>
>                 Key: KNOX-3096
>                 URL: https://issues.apache.org/jira/browse/KNOX-3096
>             Project: Apache Knox
>          Issue Type: Improvement
>          Components: Server
>            Reporter: Larry McCay
>            Assignee: Larry McCay
>            Priority: Major
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> There are various possibilities for leveraging the authentication 
> capabilities across Knox instances. One compelling reason is for 
> containerized Knox instances within k8s that would like to accept CLIENT_ID 
> and CLIENT_SECRET or Passcode tokens but do not have a local database 
> provisioned. These Knox instances can accept the tokens by delegating the 
> authentication to a remote instance configured with the appropriate database 
> or other details that may not be available to all other instances. It will 
> need to cache authentication results for a short but meaningful enough time 
> to reduce the chance of authentication storms against the remote server. At 
> the same time, authentication can't outlive a change in the user's status any 
> dangerous amount of time. Perhaps default to 5 mins.
> It should allow for the configuration of all relevant possible items such as:
> 1. remote authentication server url (likely to the KNOX-AUTH-SERVICE API)
> 2. truststore location
> 3. truststore password/alias
> 4. headers to include in the call to the remote server from the request being 
> processed
> 5. expected headers from the response to include the user and groups
> 6. interval in mins for cache of authentication result to reduce 
> authentication storms to remote server



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to