Foreseen release date for 0.5.0 and support SPNEGO

[Stefano Galarraga <ga...@gmail.com>]

Hello,

I’m planning to use Knox to support Kerberos authentication in my Hadoop cluster and I saw that the support for SPNEGO will be available from version 0.5.0.
Is there any foreseen date for the release date of 0.5.0?

Thanks

- Stefano 

Re: Foreseen release date for 0.5.0 and support SPNEGO

[larry mccay <la...@gmail.com>]

I see.

If you plan to use Knox to proxy your service invocations then you need to
be aware of a couple things:

1. you will need a Knox service for your services in order to route
requests to them
2. if you wanted to eliminate the need for kerberos on your endpoints and
just use the SPNEGO support in Knox then:
    a. you don't want your services to be open to identity spoofing from
inside the cluster. A mapreduce job running inside the cluster can take
advantage of the fact that your endpoints are not secured with kerberos and
pretend to be anyone that they want.
    b. when knox protected cluster is secured - all of the services that
knox dispatches to are expected to be kerberized. This could be addressed
with custom dispatcher for your services but that will require dispatch
development and not address a. above.


On Wed, Oct 29, 2014 at 9:54 AM, Stefano Galarraga <ga...@gmail.com>
wrote:

> Hi Iarry,
>
> Sorry, I explained quite badly...
>
> Actually my idea was to have Knox as an authentication server sitting
> in front of our services and handling the authentication phase like in
> your presentation at
> (http://www.slideshare.net/Hadoop_Summit/th-130p211minder).
>
> I'm having a look at the gateway-service-admin project. It looks very
> interesting. We are going to develop most of our services in Scala
> with Spray, not sure how well they integrate but if you could send me
> the article I'll have a look at it.
>
>
> Thanks a lot
>
> - Stefano
>
> On Wed, Oct 29, 2014 at 12:04 PM, larry mccay <la...@gmail.com>
> wrote:
> > Hey Stefano -
> >
> > That sounds interesting...
> >
> > Exactly what do you mean by delegate to Knox from your custom services
> for
> > authentication - is this for calling through Knox to backend Hadoop
> services
> > or are you going to try and just use Knox as an authentication server?
> >
> > It may be worth your time to consider actually implementing your custom
> > services within Knox itself.
> > We have a special Jersey Service in Knox for just such usecases - you can
> > see the admin service as an example - in master and 0.5.0.
> >
> > This would allow you to leverage the authentication mechanisms in Knox
> and
> > serve the REST resources from there as well.
> >
> > Calling out to Knox as an authentication server will require some sort of
> > pivoting from the provider chain - or will require you to stand up a
> > server/s hosting your services behind Knox and a custom Knox service to
> > route to them.
> >
> > If the Jersey Service sounds like what you need, I can get you a article
> on
> > how to implement one.
> >
> > thanks,
> >
> > --larry
> >
> >
> > On Wed, Oct 29, 2014 at 7:29 AM, Stefano Galarraga <galarragas@gmail.com
> >
> > wrote:
> >>
> >> Hi larry,
> >>
> >> Thanks for the quick answer and great to know that the RC is coming out
> >> soon. It will be great to have the pointers to the documentation when
> this
> >> will be available.
> >>
> >> We are building our development cluster that will be Kerberized and want
> >> to allow authentication for some of the standard Hadoop Web Services
> plus a
> >> series of custom REST API we are going to develop. The final environment
> >> where the production environment would be built is currently using
> SPNEGO
> >> for similar cases. We were thinking to delegate to Knox the
> authentication
> >> phase to avoid re-implementing on any of the services.
> >>
> >> Regards
> >>
> >> - Stefano
> >>
> >>
> >> On 29 Oct 2014, at 11:17, larry mccay <la...@gmail.com> wrote:
> >>
> >> Hi Stefano -
> >>
> >> Thanks for your interest in Knox 0.5.0!
> >>
> >> We are in the process of testing our 2nd 0.5.0 release candidate right
> >> now.
> >>
> >> The release should be available within the next couple weeks.
> >>
> >> I'd be interested to hear a bit more about your intended use of SPNEGO
> >> with Knox.
> >> I will also be documenting the SPNEGO feature in the near future and can
> >> send you a pointer when that is ready - if you would like to try it out
> >> early and provide some testing.
> >>
> >> thanks,
> >>
> >> --larry
> >>
> >>
> >> On Wed, Oct 29, 2014 at 6:48 AM, Stefano Galarraga <
> galarragas@gmail.com>
> >> wrote:
> >>>
> >>> Hello,
> >>>
> >>> I’m planning to use Knox to support Kerberos authentication in my
> Hadoop
> >>> cluster and I saw that the support for SPNEGO will be available from
> version
> >>> 0.5.0.
> >>> Is there any foreseen date for the release date of 0.5.0?
> >>>
> >>> Thanks
> >>>
> >>> - Stefano
> >>
> >>
> >>
> >
>
>
>
> --
> "Confidence is what you have before you understand the problem" - Woody
> Allen
>

Re: Foreseen release date for 0.5.0 and support SPNEGO

[Stefano Galarraga <ga...@gmail.com>]

Hi Iarry,

Sorry, I explained quite badly...

Actually my idea was to have Knox as an authentication server sitting
in front of our services and handling the authentication phase like in
your presentation at
(http://www.slideshare.net/Hadoop_Summit/th-130p211minder).

I'm having a look at the gateway-service-admin project. It looks very
interesting. We are going to develop most of our services in Scala
with Spray, not sure how well they integrate but if you could send me
the article I'll have a look at it.


Thanks a lot

- Stefano

On Wed, Oct 29, 2014 at 12:04 PM, larry mccay <la...@gmail.com> wrote:
> Hey Stefano -
>
> That sounds interesting...
>
> Exactly what do you mean by delegate to Knox from your custom services for
> authentication - is this for calling through Knox to backend Hadoop services
> or are you going to try and just use Knox as an authentication server?
>
> It may be worth your time to consider actually implementing your custom
> services within Knox itself.
> We have a special Jersey Service in Knox for just such usecases - you can
> see the admin service as an example - in master and 0.5.0.
>
> This would allow you to leverage the authentication mechanisms in Knox and
> serve the REST resources from there as well.
>
> Calling out to Knox as an authentication server will require some sort of
> pivoting from the provider chain - or will require you to stand up a
> server/s hosting your services behind Knox and a custom Knox service to
> route to them.
>
> If the Jersey Service sounds like what you need, I can get you a article on
> how to implement one.
>
> thanks,
>
> --larry
>
>
> On Wed, Oct 29, 2014 at 7:29 AM, Stefano Galarraga <ga...@gmail.com>
> wrote:
>>
>> Hi larry,
>>
>> Thanks for the quick answer and great to know that the RC is coming out
>> soon. It will be great to have the pointers to the documentation when this
>> will be available.
>>
>> We are building our development cluster that will be Kerberized and want
>> to allow authentication for some of the standard Hadoop Web Services plus a
>> series of custom REST API we are going to develop. The final environment
>> where the production environment would be built is currently using SPNEGO
>> for similar cases. We were thinking to delegate to Knox the authentication
>> phase to avoid re-implementing on any of the services.
>>
>> Regards
>>
>> - Stefano
>>
>>
>> On 29 Oct 2014, at 11:17, larry mccay <la...@gmail.com> wrote:
>>
>> Hi Stefano -
>>
>> Thanks for your interest in Knox 0.5.0!
>>
>> We are in the process of testing our 2nd 0.5.0 release candidate right
>> now.
>>
>> The release should be available within the next couple weeks.
>>
>> I'd be interested to hear a bit more about your intended use of SPNEGO
>> with Knox.
>> I will also be documenting the SPNEGO feature in the near future and can
>> send you a pointer when that is ready - if you would like to try it out
>> early and provide some testing.
>>
>> thanks,
>>
>> --larry
>>
>>
>> On Wed, Oct 29, 2014 at 6:48 AM, Stefano Galarraga <ga...@gmail.com>
>> wrote:
>>>
>>> Hello,
>>>
>>> I’m planning to use Knox to support Kerberos authentication in my Hadoop
>>> cluster and I saw that the support for SPNEGO will be available from version
>>> 0.5.0.
>>> Is there any foreseen date for the release date of 0.5.0?
>>>
>>> Thanks
>>>
>>> - Stefano
>>
>>
>>
>



-- 
"Confidence is what you have before you understand the problem" - Woody Allen

Re: Foreseen release date for 0.5.0 and support SPNEGO

[larry mccay <la...@gmail.com>]

Hey Stefano -

That sounds interesting...

Exactly what do you mean by delegate to Knox from your custom services for
authentication - is this for calling through Knox to backend Hadoop
services or are you going to try and just use Knox as an authentication
server?

It may be worth your time to consider actually implementing your custom
services within Knox itself.
We have a special Jersey Service in Knox for just such usecases - you can
see the admin service as an example - in master and 0.5.0.

This would allow you to leverage the authentication mechanisms in Knox and
serve the REST resources from there as well.

Calling out to Knox as an authentication server will require some sort of
pivoting from the provider chain - or will require you to stand up a
server/s hosting your services behind Knox and a custom Knox service to
route to them.

If the Jersey Service sounds like what you need, I can get you a article on
how to implement one.

thanks,

--larry


On Wed, Oct 29, 2014 at 7:29 AM, Stefano Galarraga <ga...@gmail.com>
wrote:

> Hi larry,
>
> Thanks for the quick answer and great to know that the RC is coming out
> soon. It will be great to have the pointers to the documentation when this
> will be available.
>
> We are building our development cluster that will be Kerberized and want
> to allow authentication for some of the standard Hadoop Web Services plus a
> series of custom REST API we are going to develop. The final environment
> where the production environment would be built is currently using SPNEGO
> for similar cases. We were thinking to delegate to Knox the authentication
> phase to avoid re-implementing on any of the services.
>
> Regards
>
> - Stefano
>
>
> On 29 Oct 2014, at 11:17, larry mccay <la...@gmail.com> wrote:
>
> Hi Stefano -
>
> Thanks for your interest in Knox 0.5.0!
>
> We are in the process of testing our 2nd 0.5.0 release candidate right now.
>
> The release should be available within the next couple weeks.
>
> I'd be interested to hear a bit more about your intended use of SPNEGO
> with Knox.
> I will also be documenting the SPNEGO feature in the near future and can
> send you a pointer when that is ready - if you would like to try it out
> early and provide some testing.
>
> thanks,
>
> --larry
>
>
> On Wed, Oct 29, 2014 at 6:48 AM, Stefano Galarraga <ga...@gmail.com>
> wrote:
>
>> Hello,
>>
>> I’m planning to use Knox to support Kerberos authentication in my Hadoop
>> cluster and I saw that the support for SPNEGO will be available from
>> version 0.5.0.
>> Is there any foreseen date for the release date of 0.5.0?
>>
>> Thanks
>>
>> - Stefano
>
>
>
>

Re: Foreseen release date for 0.5.0 and support SPNEGO

[Stefano Galarraga <ga...@gmail.com>]

Hi larry,

Thanks for the quick answer and great to know that the RC is coming out soon. It will be great to have the pointers to the documentation when this will be available.

We are building our development cluster that will be Kerberized and want to allow authentication for some of the standard Hadoop Web Services plus a series of custom REST API we are going to develop. The final environment where the production environment would be built is currently using SPNEGO for similar cases. We were thinking to delegate to Knox the authentication phase to avoid re-implementing on any of the services.   

Regards

- Stefano


> On 29 Oct 2014, at 11:17, larry mccay <la...@gmail.com> wrote:
> 
> Hi Stefano -
> 
> Thanks for your interest in Knox 0.5.0!
> 
> We are in the process of testing our 2nd 0.5.0 release candidate right now.
> 
> The release should be available within the next couple weeks.
> 
> I'd be interested to hear a bit more about your intended use of SPNEGO with Knox.
> I will also be documenting the SPNEGO feature in the near future and can send you a pointer when that is ready - if you would like to try it out early and provide some testing.
> 
> thanks,
> 
> --larry
> 
> 
> On Wed, Oct 29, 2014 at 6:48 AM, Stefano Galarraga <galarragas@gmail.com <ma...@gmail.com>> wrote:
> Hello,
> 
> I’m planning to use Knox to support Kerberos authentication in my Hadoop cluster and I saw that the support for SPNEGO will be available from version 0.5.0.
> Is there any foreseen date for the release date of 0.5.0?
> 
> Thanks
> 
> - Stefano
> 

Re: Foreseen release date for 0.5.0 and support SPNEGO

[larry mccay <la...@gmail.com>]

Hi Stefano -

Thanks for your interest in Knox 0.5.0!

We are in the process of testing our 2nd 0.5.0 release candidate right now.

The release should be available within the next couple weeks.

I'd be interested to hear a bit more about your intended use of SPNEGO with
Knox.
I will also be documenting the SPNEGO feature in the near future and can
send you a pointer when that is ready - if you would like to try it out
early and provide some testing.

thanks,

--larry


On Wed, Oct 29, 2014 at 6:48 AM, Stefano Galarraga <ga...@gmail.com>
wrote:

> Hello,
>
> I’m planning to use Knox to support Kerberos authentication in my Hadoop
> cluster and I saw that the support for SPNEGO will be available from
> version 0.5.0.
> Is there any foreseen date for the release date of 0.5.0?
>
> Thanks
>
> - Stefano