You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "Larry McCay (Jira)" <ji...@apache.org> on 2020/07/27 23:26:00 UTC

[jira] [Commented] (KNOX-2411) Implement composite authentication provider

    [ https://issues.apache.org/jira/browse/KNOX-2411?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17166020#comment-17166020 ] 

Larry McCay commented on KNOX-2411:
-----------------------------------

[~smolnar] - this sounds good. Couple comments:

1. This will only target JWT Bearer token and kerberos for now but will not be hardcoded for these providers only. In other words, the individual providers that make up the composite will need to be config and interface driven rather than hardcoded with classnames, etc.
2. We should extend the providers with an interface that will need to be supported for inclusion in the composite. A method to check for credentials or token maybe a verification method as well which can be NOP'd when not appropriate.
3. There is also some consideration needed for combining providers that have redirects or even HTTP 401 based challenges that may never return. I think that we need to communicate that it requires providers with pre-emptive credentials like bearer token or pre-emptive Basic Auth and optionally one redirect based one at the end.

Now, if we want a hardcoded and more simple approach then we should consider adding JWT support to the HadoopAuthProvider.

> Implement composite authentication provider
> -------------------------------------------
>
>                 Key: KNOX-2411
>                 URL: https://issues.apache.org/jira/browse/KNOX-2411
>             Project: Apache Knox
>          Issue Type: New Feature
>          Components: Server
>    Affects Versions: 1.5.0
>            Reporter: Sandor Molnar
>            Assignee: Sandor Molnar
>            Priority: Major
>             Fix For: 1.5.0
>
>
> End-users should have a way of having different authentication providers bound to the same topology. For the first time, this _composite_ authentication provider will default to the following behavior:
>  * this is going to be a new servlet Filter (just like other providers) implementation
>  * as with all providers in the Knox gateway, the composite authentication provider is configured through provider parameters
>  * only {{JWT}} and {{HadoopAuth}} authentication providers are supported
>  * in the {{doFilter}} method, there is going to be a check if the incoming request has a valid JWT token (as a {{bearer}} token) extracted from the {{Authorization}} header. If this is true, the request is then processed on behalf of the user represented by the JWT token (using the existing JWT federation provider). If there is no _valid_ JWT token, the new filter will try to achieve authentication using the existing {{HadoopAuth}} authentication filter.
> Later on, this composite authentication provider can be extended with different use-cases.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)