You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by Rick Kellogg <rm...@comcast.net> on 2017/12/22 18:58:22 UTC
Multiple Authentication Providers
Greetings,
After spending several days attempting to get HBase working with Knox in a
Kerberos secured environment, I discovered a crazy bug I want to share with
you.
I started with the default topology that included the ShiroProvider. I set
the enabled value to false and added my HadoopAuth provider directly below
it with enabled set to true. This was done so I could easily switch back
to the original if required.
When I finally thought to review the generated deployment artifacts, I
discovered the gateway.xml file did not include any reference to the
ShiroFilter or HadoopAuthFilter. As such my subsequent use of the identity
assertion filter would fail with a missing Subject.
So basically one can only have a single authentication provider listed in
the topology. It does not use the first enabled provider. Next week, I
will research and attempt to suggest some suitable changes or warnings.
Thanks everyone for their assistance on this matter. Almost completed my
HBase integration with Knox and Kerberos.
Take care,
Rick
Re: Multiple Authentication Providers
Posted by larry mccay <lm...@apache.org>.
Yep - that sounds about right, Rick!
Will keep an eye out for the patch - we should consider that one for 1.0.0
actually.
On Thu, Dec 28, 2017 at 12:09 PM, Rick Kellogg <rm...@comcast.net>
wrote:
> I think I found the root cause of the issue. Within the DeploymentFactory.collectTopologyProviders
> we need to check for enabled before inclusion in downstream processing.
> Will test out tomorrow and submit patch if correct.
>
> --Rick
>
> -----Original Message-----
> From: larry mccay [mailto:lmccay@apache.org]
> Sent: Friday, December 22, 2017 2:04 PM
> To: dev@knox.apache.org
> Subject: Re: Multiple Authentication Providers
>
> Interesting....
>
> I think that I have always commented out other providers to switch back
> and forth.
> Thinking of that deployment factory code, I can imagine this being
> entirely true.
>
>
> On Fri, Dec 22, 2017 at 1:58 PM, Rick Kellogg <rm...@comcast.net>
> wrote:
>
> > Greetings,
> >
> >
> >
> > After spending several days attempting to get HBase working with Knox
> > in a Kerberos secured environment, I discovered a crazy bug I want to
> > share with you.
> >
> >
> >
> > I started with the default topology that included the ShiroProvider.
> > I set the enabled value to false and added my HadoopAuth provider
> directly below
> > it with enabled set to true. This was done so I could easily switch
> back
> > to the original if required.
> >
> >
> >
> > When I finally thought to review the generated deployment artifacts, I
> > discovered the gateway.xml file did not include any reference to the
> > ShiroFilter or HadoopAuthFilter. As such my subsequent use of the
> > identity assertion filter would fail with a missing Subject.
> >
> >
> >
> > So basically one can only have a single authentication provider listed
> > in the topology. It does not use the first enabled provider. Next
> > week, I will research and attempt to suggest some suitable changes or
> warnings.
> >
> >
> >
> > Thanks everyone for their assistance on this matter. Almost completed
> > my HBase integration with Knox and Kerberos.
> >
> >
> >
> > Take care,
> >
> > Rick
> >
> >
>
>
RE: Multiple Authentication Providers
Posted by Rick Kellogg <rm...@comcast.net>.
I think I found the root cause of the issue. Within the DeploymentFactory.collectTopologyProviders we need to check for enabled before inclusion in downstream processing. Will test out tomorrow and submit patch if correct.
--Rick
-----Original Message-----
From: larry mccay [mailto:lmccay@apache.org]
Sent: Friday, December 22, 2017 2:04 PM
To: dev@knox.apache.org
Subject: Re: Multiple Authentication Providers
Interesting....
I think that I have always commented out other providers to switch back and forth.
Thinking of that deployment factory code, I can imagine this being entirely true.
On Fri, Dec 22, 2017 at 1:58 PM, Rick Kellogg <rm...@comcast.net> wrote:
> Greetings,
>
>
>
> After spending several days attempting to get HBase working with Knox
> in a Kerberos secured environment, I discovered a crazy bug I want to
> share with you.
>
>
>
> I started with the default topology that included the ShiroProvider.
> I set the enabled value to false and added my HadoopAuth provider directly below
> it with enabled set to true. This was done so I could easily switch back
> to the original if required.
>
>
>
> When I finally thought to review the generated deployment artifacts, I
> discovered the gateway.xml file did not include any reference to the
> ShiroFilter or HadoopAuthFilter. As such my subsequent use of the
> identity assertion filter would fail with a missing Subject.
>
>
>
> So basically one can only have a single authentication provider listed
> in the topology. It does not use the first enabled provider. Next
> week, I will research and attempt to suggest some suitable changes or warnings.
>
>
>
> Thanks everyone for their assistance on this matter. Almost completed
> my HBase integration with Knox and Kerberos.
>
>
>
> Take care,
>
> Rick
>
>
Re: Multiple Authentication Providers
Posted by larry mccay <lm...@apache.org>.
Interesting....
I think that I have always commented out other providers to switch back and
forth.
Thinking of that deployment factory code, I can imagine this being entirely
true.
On Fri, Dec 22, 2017 at 1:58 PM, Rick Kellogg <rm...@comcast.net> wrote:
> Greetings,
>
>
>
> After spending several days attempting to get HBase working with Knox in a
> Kerberos secured environment, I discovered a crazy bug I want to share with
> you.
>
>
>
> I started with the default topology that included the ShiroProvider. I set
> the enabled value to false and added my HadoopAuth provider directly below
> it with enabled set to true. This was done so I could easily switch back
> to the original if required.
>
>
>
> When I finally thought to review the generated deployment artifacts, I
> discovered the gateway.xml file did not include any reference to the
> ShiroFilter or HadoopAuthFilter. As such my subsequent use of the identity
> assertion filter would fail with a missing Subject.
>
>
>
> So basically one can only have a single authentication provider listed in
> the topology. It does not use the first enabled provider. Next week, I
> will research and attempt to suggest some suitable changes or warnings.
>
>
>
> Thanks everyone for their assistance on this matter. Almost completed my
> HBase integration with Knox and Kerberos.
>
>
>
> Take care,
>
> Rick
>
>