Uploaded image for project: 'Ambari'
  1. Ambari
  2. AMBARI-18363

Ambari authentication with Kerberos token



    • Ambari authentication with Kerberos token


      Users should be able to authenticate to use Ambari by providing a Kerberos token using SPNEGO - Simple and Protected GSSAPI Negotiation Mechanism. This includes access to the Ambari REST API as well as the Ambari web-based UI.

      The implementation should support the ability to perform the full SPNEGO handshake as well as access requests directly providing the appropriate HTTP header containing the Kerberos token. For example:

      Authorization: Negotiate YIICcgY...r/vJcLO

      In the full handshake model

      1. The client requests access to a web resource
      2. The server responds with an HTTP 401 status (Unauthorized), including the header WWW-Authenticate: Negotiate
      3. The client generates the Kerberos data and creates a new request containing the authentication header - Authorization: Negotiate YIICcgY...r/vJcLO

      Since Ambari needs to generally return a HTTP status of 403 (Forbidden) when authentication is needed, a hint must be sent along with the request indicate to Ambari that Kerberos authentication is desired. If this hint is received, then Ambari will respond with the appropriate status and header to initiate SPNEGO with the client. This hint is an Ambari-specific header named "X-Authentication-Type" with the value of "kerberos":

      X-Authentication-Type: kerberos

      No matter what the handshake mechanism is (or lack of), once the Kerberos token is received by Ambari, Ambari is to parse and validate the token. If a failure occurs, Ambari is to respond with the appropriate HTTP status and related header(s). Upon success, the user's principal name is retrieved and converted into a local user name. The use of an auth-to-local rule set processor may be needed to perform this translation. Using this local username, an appropriate Ambari user account is located and used as the authenticated users identity - details, privileges, etc.... Failure to find an appropriate Ambari user account is to result in an authentication failure response.


        Issue Links



              rlevas Robert Levas
              rlevas Robert Levas
              0 Vote for this issue
              1 Start watching this issue