Thanks Larry. I knew Knox shortcomings and therefore were considering the
alternatives.
On Friday, October 20, 2017, 3:53:23 AM PDT, larry mccay
wrote:
No, we only proxy HTTP resources.
If there is no proxyable REST API then we really can't get to it today.
Perhaps at some point, we
No, we only proxy HTTP resources.
If there is no proxyable REST API then we really can't get to it today.
Perhaps at some point, we may be able to leverage websockets to proxy other
protocols but AFAIK they still require an HTTP component which the existing
CLIs and RPC clients won't have.
On Fri
Thanks again Larry. One comment online.
>We should be able to provide access to the same resources via proxied calls to
>the backend services that you require without leaking a credential that can be
>captured and replayed by anyone to spoof the original user.
We are exactly looking something li
Thank you for the clarification.
I did understand correctly.
I think my characterization of this making Knox a delegation token factory
was slightly off - we would be more of a delegation token broker. Which is
just as inappropriate considering what I consider the charter of the Knox
Gateway.
If
Hi Larry,thanks for your reply.
I believe I didn't explain our use-case properly. Let me give some contexts
and addressing some concerns.
Be warned - a long email :)
We restrict the Kerberos access only within Hadoop cluster. Any access to
Kerberos service from outside Hadoop is not recommended
Hi Jérôme -
Thanks for that heads up.
We do actually have kerberos support through the Hadoop Auth Provider
already which does incorporate support for accepting the Hadoop specific
delegation tokens.
If I understand the ask properly here, it is for Knox to request the Hadoop
specific delegation t
Hi,
I just saw "Kerberos" somewhere in the discussion. I just wanted to quickly
let you know that pac4j 2.1 supports Kerberos so things may be
straight-forward after the pac4j upgrade.
Thanks.
Best regards,
Jérôme
On Tue, Oct 17, 2017 at 1:37 PM, larry mccay wrote:
> Hi Mohammad -
>
> I need t
Hi Mohammad -
I need to better understand your usecase.
It seems that you would like Knox to provide a delegation token factory
type role where a service/user can authenticate to knox against LDAP or
some other provider and return a delegation token without proxying a call
to a backend service. S
Hi,We have a use case where non-Hadoop services want to utilize delegation
token instead of direct Kerberos ticket. Therefore, I'm wandering if Knox can
support this service where Knox can get delegation tokens from Hadoop services
such as HDFS, YARN, Hive, HBase etc.This will allow the non-Had
