You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "Larry McCay (JIRA)" <ji...@apache.org> on 2019/03/25 22:37:00 UTC
[jira] [Commented] (KNOX-1834) I wish that Knox passed signed JWTs
to backend services
[ https://issues.apache.org/jira/browse/KNOX-1834?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16801202#comment-16801202 ]
Larry McCay commented on KNOX-1834:
-----------------------------------
Hi John - thank you for the "wish" :).
It is certainly a decent way to do the same but it doesn't align with what proxyuser's do in the Hadoop ecosystem.
You should also be aware that user.name is what is used by default in unsecured clusters for those services that support Simple or Pseudo authentication. The real proxyuser implementation uses a doAs query param along with kerberos for strong authentication between Knox and the backend service. So Knox authenticates via kerberos and asserts the identity of the authenticated user via doAs. This is a Hadoop pattern and feature and existed before Knox.
Do you have a specific backend service that you would rather do it this way for?
If so, this is certainly possible but you would need a couple things:
# A service definition for your custom service
# A custom dispatch to be added to your ext jar or contributed to Apache Knox if generic enough
# You can use the built in Token Authority Service in Knox but we would need to extend that to add groups as claims. This is something that we have avoided so far as the token can live for a period of time that exceeds the user's membership to a given group and the lookups are better down closer to and at the time of the actual resource access.
> I wish that Knox passed signed JWTs to backend services
> -------------------------------------------------------
>
> Key: KNOX-1834
> URL: https://issues.apache.org/jira/browse/KNOX-1834
> Project: Apache Knox
> Issue Type: Wish
> Reporter: John Ruiz
> Priority: Major
>
> My understanding based on reading the User's Guide is that Knox will assert the authenticated user/client to a backend REST API by adding user.name to the query or form parameters sent to the backend service.
> I wish that I could configure Knox to instead assert the authenticated user via a signed JWT in the Authentication header sent to the backend service.
> In this way, I would be able to receive asserted groups that were 'looked up' when the user /client authenticated to Knox.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)