You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@knox.apache.org by Tien Dat PHAN <tp...@gmail.com> on 2021/09/09 09:16:58 UTC

Proxying WebHDFS on kerberized cluster with CAS server as authenticator

Dear experts,

We are having an HDFS cluster which is secured with Kerberos. 
We also have a CAS server which is used for basically most of our authentication activities.

We just wonder if with Apache Knox 1.5.0, is it possible to proxy the webHDFS web UI of this HDFS cluster, with our CAS server as the authenticator.

We have been following the User guide, but so far, we did not succeed.
For your information, if we use the LDAP server as the authenticator, instead of CAS server via Pac4J, it is working well.

So we just wonder if 1) is it possible our use case? and 2) if it is POSSIBLE, what could be the missing configuration we should add? (We can share our topology configuration here if it can help)

Best regards
Tien Dat PHAN

Re: Proxying WebHDFS on kerberized cluster with CAS server as authenticator

Posted by larry mccay <la...@gmail.com>.

Hi Tien Dat PHAN -

It is indeed a valid usecase and should work.
If the documentation available in the user guide [1] is not working then we
may have a bug in 1.5.0.
There was a regression in OIDC support due to an upgraded dependency that
was out of step with one of the others.

Please do let us know and provide the configuration that you are using for
comparison.

Thanks!

--larry

1.
http://knox.apache.org/books/knox-1-5-0/user-guide.html#Pac4j+Provider+-+CAS+/+OAuth+/+SAML+/+OpenID+Connect

On Thu, Sep 9, 2021 at 5:17 AM Tien Dat PHAN <tp...@gmail.com> wrote:

> Dear experts,
>
> We are having an HDFS cluster which is secured with Kerberos.
> We also have a CAS server which is used for basically most of our
> authentication activities.
>
> We just wonder if with Apache Knox 1.5.0, is it possible to proxy the
> webHDFS web UI of this HDFS cluster, with our CAS server as the
> authenticator.
>
> We have been following the User guide, but so far, we did not succeed.
> For your information, if we use the LDAP server as the authenticator,
> instead of CAS server via Pac4J, it is working well.
>
> So we just wonder if 1) is it possible our use case? and 2) if it is
> POSSIBLE, what could be the missing configuration we should add? (We can
> share our topology configuration here if it can help)
>
> Best regards
> Tien Dat PHAN
>