Uploaded image for project: 'Apache Knox'
  1. Apache Knox
  2. KNOX-761

KnoxSSO Needs to Support Multi-tenant Usecases

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Server
    • Labels:
      None

      Description

      In a deployment that separates tenant access to Hadoop resources through dedicated topologies with tenant specific authentication, there are a couple issues:

      • pac4j provider seems to be caching config settings in a singleton which makes the redirect url nondeterministic.
      • knoxsso cookie would be trusted across tenant specific topologies which could lead to unauthorized access to resources that belongs to another tenant

      The use of tenant specific audience claims within the JWT token could be used to mitigate the cross tenant trust issue.

      We need to investigate the pac4j provider issue with the singleton config.

        Attachments

          Activity

            People

            • Assignee:
              lmccay Larry McCay
              Reporter:
              lmccay Larry McCay
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: