I believe what you are asking may be possible but it may not work "out of the box". There is a Kerberos/SPNego authentication provider currently in Knox. This can probably be used to for the SSO authentication the way you intend between the web browser and Knox. However these kerberos tokens cannot be used to impersonate the user to the back end service. All of the Hadoop services have implemented a trusted proxy model for that. In this model Knox itself (i.e. a knox user) authenticates via Kerberos to the back end service and propagates the effective users' identity to the back end service which is configured to trust that Knox has properly authenticated the user. So as I understand your use case you would need to implement that trusted proxy model in your service.
From: Da Peng DP Huang <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Thursday, March 24, 2016 at 12:53 AM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Does knox0.7 support kerberos authentication in Shiro provider or SSO provider? Hi all I noticed Knox has Shiro provider to authenticate requests against LDAP. Does it support kerberos authentication? We have an application deployed/managed as Hadoop service by Ambari.We implemented the Kerberos SSO in our app(Hadoop service), howerver, our kerberos SSO on longer work after proxied by Knox0.7. Our kerberos SSO procedure is like below(Our Hadoop cluster has been secured by kerberos): 1.User kinit a kerberos principal in a Hadoop node machine[This can be done by kinit command in Linux shell]. 2.User config the network.negotiate-auth.trusted-uris and network.negotiate.auth.delegation-uris in web browser. 3.Then user can directly login to our application in UI without being challenged for kerberos principal/credential[Actually the kerberos token and principal are propagated to our application's login module.] Can anyone suggest to resolve the issue? My thought is it is feasible to make our Kerberos SSO work if knox can authenticate against kerberos and pass the token/username to our app. Is this ok? Thanks _________________________________________________________________________________________________ Tony Huang software engineer IBM Big Data & Analytics|Analytic Server Phone: 68030373 E-mail: [email protected]<mailto:[email protected]> [cid:1__=8FBBF513DF8BC8738f9e8a93df938690918c8FB@]
