All - I have been considering the use of the following project to add support for SPNEGO authentication for REST clients to the Knox Gateway.
http://spnego.sourceforge.net/index.html "However, if your organization uses java based web/application servers, and you prefer Kerberos <http://en.wikipedia.org/wiki/Kerberos_%28protocol%29>/ SPNEGO <http://en.wikipedia.org/wiki/SPNEGO>instead of NTLM<http://en.wikipedia.org/wiki/NTLM> as the authentication protocol, and you would rather have a Java Servlet Filter<http://www.jcp.org/en/jsr/detail?id=53> (JSR-53) based implementation instead of a container specific authentication module<http://www.jcp.org/en/jsr/detail?id=196> (JSR-196), and you want SSO (no username/password prompt), then this project may be of some interest to you." This may or may not buy us anything above and beyond how it is already done within Hadoop. We would certainly need to make sure that it doesn't somehow interfere with existing implementations. At any rate, the development of an authentication provider from this would be really straight forward - the documentation spells out exactly what our providerContributor would need to do in order to inject the filter. The usecases enabled with this provider would be: 1. Client authenticating to Gateway with SPNEGO and accessing Pseudo/Simple Hadoop Cluster with identity asserted to cluster via user.name 2. Client authenticating to Gateway with SPNEGO and accessing kerberos secured Hadoop Cluster with Gateway authenticating to services and identity asserted to cluster via trusted proxy user doAs Interested in opinions on whether we should consider this. Given a general feeling that we could use it we can file a JIRA to add it. thanks, --larry
