...
Apache Knox is designed to be a unified authentication and access control solution for cluster services. It authenticates users at the cluster's edge and can integrate with various identity management systems for authentication. It also offers service-level authorization at the perimeter.
...
Here, authorization to the downstream services will be done based on the request path. Just like AclsAuthz, authorization will be based on username, groups or ipaddress. This will allow Knox to enforce authorization on different endpoints in k8s cluster allowing for a more fine grained service level authorization.
Example:
Path | user | group | ipaddress |
---|---|---|---|
/foo | user | * | * |
/foo/**,/bar/** | user1 | group1 | * |
/foo/*/bar | * | * | 164.25.25.16 |
For authentication we can use the same flow used in previous usecases.
...