THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
- Introduce new SSO cookie as first class citizen rather than hadoop auth cookie
- Create new filter for new cookie instead of a new handler
- Refactor existing AuthenticationFilter into a delegating filter rather than returning 403
- add check to see if the user is established already
- continue the filter chain
- add new filter that checks for established user and in it's absence looks for new cookie
- does the redirect
- verifies the signature based on PKI public key of the configured knoxsso endpoint
- add new filter that terminates the chain, returning 403 if the user has not been established at the end
- New knoxsso cookie is better security due to PKI rather than a shared secret across the cluster that can/must be acquired by each server
- Shouldn't get much push back due to Alejandro leaving cloudera
- Can always fall back to the hadoop auth cookies under pressure and revisit it later
- Add groups to the knoxsso token
- We may be able to get away with using existing hadoop auth cookie with a strengthened signer based on PKI
...