In a deployment that separates tenant access to Hadoop resources through dedicated topologies with tenant specific authentication, there are a couple issues:
- pac4j provider seems to be caching config settings in a singleton which makes the redirect url nondeterministic.
- knoxsso cookie would be trusted across tenant specific topologies which could lead to unauthorized access to resources that belongs to another tenant
The use of tenant specific audience claims within the JWT token could be used to mitigate the cross tenant trust issue.
We need to investigate the pac4j provider issue with the singleton config.