You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "Kevin Risden (JIRA)" <ji...@apache.org> on 2018/11/12 18:57:00 UTC
[jira] [Comment Edited] (KNOX-1550) TLS/SSL clientAuth provider
[ https://issues.apache.org/jira/browse/KNOX-1550?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16684241#comment-16684241 ]
Kevin Risden edited comment on KNOX-1550 at 11/12/18 6:56 PM:
--------------------------------------------------------------
Was able to test this by doing the following:
* topology.xml authentication provider section
**
{code:java}
<provider>
<role>authentication</role>
<name>ClientAuth</name>
<enabled>true</enabled>
</provider>{code}
* gateway-site.xml added:
**
{code:java}
<property>
<name>gateway.client.auth.wanted</name>
<value>true</value>
</property>{code}
* curl -Lki --key client_key.pem --cert client_public.pem ’[https://localhost:8443/gateway/test/webhdfs/v1/']
* Ended up with the following in gateway-audit.log
**
{noformat}
18/11/12 13:49:50 ||c82a22ab-4c2a-4c3b-b9ba-b92dbf0a85ae|audit|0:0:0:0:0:0:0:1|WEBHDFS|CN=admin, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown|||access|uri|/gateway/test/webhdfs/v1/|failure|{noformat}
*
** The failure is from not having webhdfs behind it. The audit works correctly though
was (Author: risdenk):
Was able to test this by doing the following:
* gateway-site.xml added:
**
{code:java}
<property>
<name>gateway.client.auth.wanted</name>
<value>true</value>
</property>{code}
* curl -Lki --key client_key.pem --cert client_public.pem ’[https://localhost:8443/gateway/test/webhdfs/v1/']
* Ended up with the following in gateway-audit.log
**
{noformat}
18/11/12 13:49:50 ||c82a22ab-4c2a-4c3b-b9ba-b92dbf0a85ae|audit|0:0:0:0:0:0:0:1|WEBHDFS|CN=admin, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown|||access|uri|/gateway/test/webhdfs/v1/|failure|{noformat}
** The failure is from not having webhdfs behind it. The audit works correctly though
> TLS/SSL clientAuth provider
> ---------------------------
>
> Key: KNOX-1550
> URL: https://issues.apache.org/jira/browse/KNOX-1550
> Project: Apache Knox
> Issue Type: New Feature
> Reporter: Kevin Risden
> Assignee: Kevin Risden
> Priority: Major
> Fix For: 1.3.0
>
> Attachments: KNOX-1550.patch, KNOX-1550.patch, KNOX-1550.patch
>
>
> The ability to identify a user based on the CN of a clientAuth certificate could be useful.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)