You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@superset.apache.org by GitBox <gi...@apache.org> on 2019/03/13 09:47:58 UTC

[GitHub] [incubator-superset] mapto opened a new issue #7024: KnoxSSO integration

mapto opened a new issue #7024: KnoxSSO integration
URL: https://github.com/apache/incubator-superset/issues/7024
 
 
   I'm working on a SSO integration with [Apache Knox](https://knox.apache.org). I'm writing this issue to ask for validation and advice on my approach, so that it is hopefully useful in a more general context.
   
   Knox provides a combined service of HTTPS gateway/proxy and SSO. Because of this, I'm considering a simplified authentication mechanism which assumes that Knox controls all the requests allowing only authorised ones and for Superset it remains only to identify the user and perform an automatic login. I'm using authentication, based on LDAP where both Knox and Superset have access to the LDAP users directory.
   
   I have currently identified three possible ways of doing the above identification:
   
   * from a GET request parameter `user.name` that Knox sends to to managed applications
   * from the [Basic authentication](https://en.wikipedia.org/wiki/Basic_access_authentication) header set by Knox
   * from a [hadoop-jwt` cookie](https://svn.apache.org/repos/asf/knox/site/books/knox-0-9-0/knoxsso_integration.html) set by Knox.
   
   I currently don't see why in the current context I should bother to unpack the [JWT](https://en.wikipedia.org/wiki/JSON_Web_Token), given that I can get the user name unencrypted. Admittedly, I need to make sure that the Superset logged-in session does not outlive the Knox logged-in session, but at this point this seems manageable to me. Can anyone think of an issue I might be missing and thus my reasoning is invalid?
   
   PS: Not really relevant, but here's a link to the Knox issue on [gateway integration](https://issues.apache.org/jira/browse/KNOX-1783) with Superset.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org