Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
0.6
-
None
-
None
Description
Knox will provide SSO to Hadoop's Web UI. So once the user is authenticated to one Hadoop Console (e.g Ambari Server or NN UI etc), navigating to another Web UI (DN UI or Falcon UI) will not require the user to re-authenticate and their identity from authentication against the first UI will be propagated to the second UI.
In terms of Requirement
Knox will provide SSO server as a Knox feature
Knox server will provide Login Page
Knox team will provide authentication filter that will be a servlet filter
Component's team will insert/package authentication filter with the component.
Component Team will provide a logout link on their pages, the link will re-direct to Knox server SSO for logout scenario.
The benefit of this feature:
1. SSO between Hadoop's Web UI - End user will need to authentication only once & his identity is propagated between consoles
2. Knox will provide authentication based on various modern Authentication scheme such as SAML(Dal), OAuth (Future), Multi-Factor Authentication, and component teams get these integration with out any extra work needed.
What mechanisms are available in NameNode to handle browser identity? If spnego is it, how would someone pass identity with that on a click? Any plans (or is there current support) for OAuth?
Also assume that Ambari is wired-up to external LDAP to authentication so the user authenticated in ambari is an LDAP user and that the identity is in LDAP."