Uploaded image for project: 'Falcon'
  1. Falcon
  2. FALCON-1026

Falcon UI to participate in SSO provided by Knox



    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 0.6
    • Fix Version/s: 0.6
    • Component/s: None
    • Labels:


      Knox will provide SSO to Hadoop's Web UI. So once the user is authenticated to one Hadoop Console (e.g Ambari Server or NN UI etc), navigating to another Web UI (DN UI or Falcon UI) will not require the user to re-authenticate and their identity from authentication against the first UI will be propagated to the second UI.
      In terms of Requirement
      Knox will provide SSO server as a Knox feature
      Knox server will provide Login Page
      Knox team will provide authentication filter that will be a servlet filter
      Component's team will insert/package authentication filter with the component.
      Component Team will provide a logout link on their pages, the link will re-direct to Knox server SSO for logout scenario.
      The benefit of this feature:
      1. SSO between Hadoop's Web UI - End user will need to authentication only once & his identity is propagated between consoles
      2. Knox will provide authentication based on various modern Authentication scheme such as SAML(Dal), OAuth (Future), Multi-Factor Authentication, and component teams get these integration with out any extra work needed.

      What mechanisms are available in NameNode to handle browser identity? If spnego is it, how would someone pass identity with that on a click? Any plans (or is there current support) for OAuth?
      Also assume that Ambari is wired-up to external LDAP to authentication so the user authenticated in ambari is an LDAP user and that the identity is in LDAP."




            • Assignee:
              kho@hortonworks.com kenneth ho
            • Votes:
              0 Vote for this issue
              1 Start watching this issue


              • Created: