You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "Larry McCay (JIRA)" <ji...@apache.org> on 2013/06/04 03:32:21 UTC
[jira] [Commented] (KNOX-27) Access Kerberos secured Hadoop cluster
via gateway using basic auth credentials
[ https://issues.apache.org/jira/browse/KNOX-27?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13673916#comment-13673916 ]
Larry McCay commented on KNOX-27:
---------------------------------
The patch appears to require a System property to determine whether or not to set the doas parameter.
+ if ("true".equals(System.getProperty(GatewayConfig.HADOOP_KERBEROS_SECURED))) {
+ params.put(DOAS_PRINCIPAL_PARAM, al.toArray(a));
+ } else {
+ params.put(PRINCIPAL_PARAM, al.toArray(a));
+ }
I believe that setting a global like a system property will require identities to be asserted with the doas across all clusters managed by the gateway.
Is this what we really want there?
I think that we need a config element for the pseudo identity assertion provider that indicates that that particular cluster requires a doas.
> Access Kerberos secured Hadoop cluster via gateway using basic auth credentials
> -------------------------------------------------------------------------------
>
> Key: KNOX-27
> URL: https://issues.apache.org/jira/browse/KNOX-27
> Project: Apache Knox
> Issue Type: New Feature
> Components: Server
> Reporter: Kevin Minder
> Assignee: Dilli Arumugam
> Attachments: KNOX-27.patch, knox-with-secure-cluster.patch
>
>
> From BUG-4306
> The basic interactions flow might look like this.
> 1. Client requests HDFS resource via gateway
> 2. Gateway challenges with basic auth
> 3. Gateway authenticates with KDC and receives token
> 4. Gateway forwards original request to service
> 5. Service challenges with SPNEGO
> 6. Gateway provides token received from KDC
> 7. Service provides response including hadoop.auth cookie. This prevents subsequent KDC and SPNEGO interactions.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
Re: [jira] [Commented] (KNOX-27) Access Kerberos secured Hadoop
cluster via gateway using basic auth credentials
Posted by larry mccay <la...@gmail.com>.
Okay - glad that it is planned.
We'll need to drill down into the challenges of multiple kerberos protected
clusters a bit more there is likely a way to make that work. Perhaps with a
custom configuration manager for JAAS or the like.
HSSO roadmap is not entirely clear. It has been suggested that a single
HSSO instance may need to handle multiple clusters for SSO across clusters.
We will have to evaluate the tradeoffs between that approach and a trust
relationship between HSSO instances across clusters.
On Tue, Jun 4, 2013 at 12:47 AM, Dilli Arumugam
<da...@hortonworks.com>wrote:
> Larry,
>
> Work on eliminating the dependency on system property for determining
> whether do pass doas parameter is planned. Kevin also pointed the need
> for this.
>
> At the same time, one Gateway supporting multiple clusters with each
> cluster having its own KDC would be challenging. Kerberos JAAS config
> properties have to be set globally at JDK level of Gateway.
>
> As I understand HSSO roadmap also requires one Gateway per cluster.
>
> We could discuss this over chat or phone to get better clarification.
>
> Thanks
> Dilli
>
>
>
>
>
> On Mon, Jun 3, 2013 at 6:32 PM, Larry McCay (JIRA) <ji...@apache.org>
> wrote:
> >
> > [
> https://issues.apache.org/jira/browse/KNOX-27?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13673916#comment-13673916]
> >
> > Larry McCay commented on KNOX-27:
> > ---------------------------------
> >
> > The patch appears to require a System property to determine whether or
> not to set the doas parameter.
> > + if
> ("true".equals(System.getProperty(GatewayConfig.HADOOP_KERBEROS_SECURED))) {
> > + params.put(DOAS_PRINCIPAL_PARAM, al.toArray(a));
> > + } else {
> > + params.put(PRINCIPAL_PARAM, al.toArray(a));
> > + }
> >
> > I believe that setting a global like a system property will require
> identities to be asserted with the doas across all clusters managed by the
> gateway.
> > Is this what we really want there?
> >
> > I think that we need a config element for the pseudo identity assertion
> provider that indicates that that particular cluster requires a doas.
> >
> >> Access Kerberos secured Hadoop cluster via gateway using basic auth
> credentials
> >>
> -------------------------------------------------------------------------------
> >>
> >> Key: KNOX-27
> >> URL: https://issues.apache.org/jira/browse/KNOX-27
> >> Project: Apache Knox
> >> Issue Type: New Feature
> >> Components: Server
> >> Reporter: Kevin Minder
> >> Assignee: Dilli Arumugam
> >> Attachments: KNOX-27.patch, knox-with-secure-cluster.patch
> >>
> >>
> >> From BUG-4306
> >> The basic interactions flow might look like this.
> >> 1. Client requests HDFS resource via gateway
> >> 2. Gateway challenges with basic auth
> >> 3. Gateway authenticates with KDC and receives token
> >> 4. Gateway forwards original request to service
> >> 5. Service challenges with SPNEGO
> >> 6. Gateway provides token received from KDC
> >> 7. Service provides response including hadoop.auth cookie. This
> prevents subsequent KDC and SPNEGO interactions.
> >
> > --
> > This message is automatically generated by JIRA.
> > If you think it was sent incorrectly, please contact your JIRA
> administrators
> > For more information on JIRA, see:
> http://www.atlassian.com/software/jira
>
Re: [jira] [Commented] (KNOX-27) Access Kerberos secured Hadoop
cluster via gateway using basic auth credentials
Posted by Dilli Arumugam <da...@hortonworks.com>.
Larry,
Work on eliminating the dependency on system property for determining
whether do pass doas parameter is planned. Kevin also pointed the need
for this.
At the same time, one Gateway supporting multiple clusters with each
cluster having its own KDC would be challenging. Kerberos JAAS config
properties have to be set globally at JDK level of Gateway.
As I understand HSSO roadmap also requires one Gateway per cluster.
We could discuss this over chat or phone to get better clarification.
Thanks
Dilli
On Mon, Jun 3, 2013 at 6:32 PM, Larry McCay (JIRA) <ji...@apache.org> wrote:
>
> [ https://issues.apache.org/jira/browse/KNOX-27?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13673916#comment-13673916 ]
>
> Larry McCay commented on KNOX-27:
> ---------------------------------
>
> The patch appears to require a System property to determine whether or not to set the doas parameter.
> + if ("true".equals(System.getProperty(GatewayConfig.HADOOP_KERBEROS_SECURED))) {
> + params.put(DOAS_PRINCIPAL_PARAM, al.toArray(a));
> + } else {
> + params.put(PRINCIPAL_PARAM, al.toArray(a));
> + }
>
> I believe that setting a global like a system property will require identities to be asserted with the doas across all clusters managed by the gateway.
> Is this what we really want there?
>
> I think that we need a config element for the pseudo identity assertion provider that indicates that that particular cluster requires a doas.
>
>> Access Kerberos secured Hadoop cluster via gateway using basic auth credentials
>> -------------------------------------------------------------------------------
>>
>> Key: KNOX-27
>> URL: https://issues.apache.org/jira/browse/KNOX-27
>> Project: Apache Knox
>> Issue Type: New Feature
>> Components: Server
>> Reporter: Kevin Minder
>> Assignee: Dilli Arumugam
>> Attachments: KNOX-27.patch, knox-with-secure-cluster.patch
>>
>>
>> From BUG-4306
>> The basic interactions flow might look like this.
>> 1. Client requests HDFS resource via gateway
>> 2. Gateway challenges with basic auth
>> 3. Gateway authenticates with KDC and receives token
>> 4. Gateway forwards original request to service
>> 5. Service challenges with SPNEGO
>> 6. Gateway provides token received from KDC
>> 7. Service provides response including hadoop.auth cookie. This prevents subsequent KDC and SPNEGO interactions.
>
> --
> This message is automatically generated by JIRA.
> If you think it was sent incorrectly, please contact your JIRA administrators
> For more information on JIRA, see: http://www.atlassian.com/software/jira