PlantUML | ||||
---|---|---|---|---|
| ||||
hide footbox autonumber participant "Browser" as cli participant "WebUI\n(eg NN UI)" as ui #lime participant "Knox\nTS/SSO" as sso #lime participant "SAML IdP\n(eg Shibboleth)" as idp activate cli cli -> ui: /view.GET() note right: User/browser makes request to UI without valid token activate ui cli <-- ui: redirect302(SSO:/login,ui-origin-url) note right: AuthFilter in UI detectes no/invalid token redirects to KnoxTS/SSO preserving ui-origin-url deactivate ui cli -> sso: /login.GET(ui-origin-uil) note right: Browser follows redirect activate sso cli <-- sso: redirect302(IdP:/login,knox-origin-url) note right: KnoxTS/SSO finds no/invalid token,\nredirects to SAML IdP preserving knox-origin-url with encoded ui-origin-uri deactivate sso cli -> idp: /login.GET(knox-origin-url) note right: Browser follows redirect activate idp cli <-- idp: ok200(form) note right: SAML IdP presents login form to user deactivate idp cli -> idp: /login.POST(username,password) note right: User provides credentials to IdP via login form.\nSAML IdP validates credentials. activate idp cli <-- idp: redirect302(knox-origin-url,saml-bearer-token) note right: IdP redirects back to knox-origin-url with SAML Bearer token in headers deactivate idp cli -> sso: /login.GET(saml-bearer-token) note right: KnoxTS/SSO converts SAML Bearer Token to a normalized JWT Bearer Token\nand extracts ui-origin-url from knox-origin-url activate sso cli <-- sso: redirect302(ui-origin-url,jwt-bearer-token-cookie) note right: KnoxTS/SSO redirects client back to ui-origin-url with JWT Bearer token in cookie deactivate sso cli -> ui: /view.GET(jwt-bearer-token-cookie) note right: Browser follows redirect to ui-origin-url with JWT Bearer Token in cookie.\nJWT Bearer Token validated by AuthFilter in UI activate ui cli <- ui: ok200(response) note right: Request processes and response returned to client. deactivate ui deactivate cli |
Knox Picketlink Federation Provider
The picketlink federation provider allows for the federation of an authentication event that is represented by a SAML assertion cookie/token.
It enables the flow illustrated above in the sequence diagram for SAML based authentication for Hadoop Web UIs and is based on Apache Picketlink.
It has currently been tested with shibboleth as the SAML provider.
The following table details the configuration elements of the provider:
Param | Description | Default |
---|---|---|
identity.url | The URL to redirect incoming requests that do not contain the expected cookie and presumably to facilitate an authentication challenge. | none |
service.url | The URL back to the KnoxSSO endpoint for the IdP to redirect the browser after authentication. | none |
keystore.url | The location of the keystore with the public cert of the IdP for token validation. BUG: this is currently hardcoded to gateway.jks | gateway.jks |
validating.alias.key | This is the idp domain which is used as the alias for looking up the alias for the cert to validate incoming tokens with - ie. idp.example.com | none |
validating.alias.value | This is the alias for the actual cert to use for the idp domain - ie. server.crt | none |
clock.skew.milis | The clock skew to use during the validation of tokens | none |
Sample Topology file: "idp.xml"
<topology>
<gateway>
<provider>
<role>federation</role>
<name>Picketlink</name>
<enabled>true</enabled>
<param>
<name>identity.url</name>
<value>https://localhost:9443/idp/profile/SAML2/POST/SSO</value>
</param>
<param>
<name>service.url</name>
<value>http://c6401.ambari.apache.org:8888/gateway/idp/knoxsso/</value>
</param>
<param>
<name>keystore.url</name>
<value>/usr/hdp/current/knox-server/data/security/keystores/gateway.jks</value>
</param>
<param>
<name>validating.alias.key</name>
<value>c6401.ambari.apache.org</value>
</param>
<param>
<name>validating.alias.value</name>
<value>gateway-identity</value>
</param>
<param>
<name>clock.skew.milis</name>
<value>2000</value>
</param>
</provider>
<provider>
<role>identity-assertion</role>
<name>Default</name>
<enabled>true</enabled>
</provider>
<provider>
<role>authorization</role>
<name>AclsAuthz</name>
<enabled>true</enabled>
</provider>
</gateway>
<service>
<role>KNOXSSO</role>
<param>
<name>sso.cookie.secure.only</name>
<value>false</value>
</param>
</service>
</topology>
Proof of Concept Status
The following notes reflect the CURRENT POC state for the above flow inside an Ambari managed ambari-vagrant 3 node cluster:
...
** CAVEAT: the simple hadoop-auth cookie and any subsequent JWT solution will dictate that knoxsso endpoint be in the same domain as all of the UIs. IOW - all nodes in the cluster that host UIs or will need the cookie to be available need to be in the same domain as the knoxsso endpoint.
Required Configuration for Hadoop Consoles
OBSOLETE but in the proper spirit of HADOOP-11717 (
Jira | ||||||
---|---|---|---|---|---|---|
|
<property>
<name>hadoop.http.authentication.simple.anonymous.allowed</name>
<value>false</value>
</property>
...
<property>
<name>hadoop.http.authentication.public.key.pem</name>
<value>MIICVjCCAb+gAwIBAgIJAPPvOtuTxFeiMA0GCSqGSIb3DQEBBQUAMG0xCzAJBgNV
BAYTAlVTMQ0wCwYDVQQIEwRUZXN0MQ0wCwYDVQQHEwRUZXN0MQ8wDQYDVQQKEwZI
YWRvb3AxDTALBgNVBAsTBFRlc3QxIDAeBgNVBAMTF2M2NDAxLmFtYmFyaS5hcGFj
aGUub3JnMB4XDTE1MDcxNjE4NDcyM1oXDTE2MDcxNTE4NDcyM1owbTELMAkGA1UE
BhMCVVMxDTALBgNVBAgTBFRlc3QxDTALBgNVBAcTBFRlc3QxDzANBgNVBAoTBkhh
ZG9vcDENMAsGA1UECxMEVGVzdDEgMB4GA1UEAxMXYzY0MDEuYW1iYXJpLmFwYWNo
ZS5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMFs/rymbiNvg8lDhsdA
qvh5uHP6iMtfv9IYpDleShjkS1C+IqId6bwGIEO8yhIS5BnfUR/fcnHi2ZNrXX7x
QUtQe7M9tDIKu48w//InnZ6VpAqjGShWxcSzR6UB/YoGe5ytHS6MrXaormfBg3VW
tDoy2MS83W8pweS6p5JnK7S5AgMBAAEwDQYJKoZIhvcNAQEFBQADgYEANyVg6EzE
2q84gq7wQfLt9t047nYFkxcRfzhNVL3LB8p6IkM4RUrzWq4kLA+z+bpY2OdpkTOe
wUpEdVKzOQd4V7vRxpdANxtbG/XXrJAAcY/S+eMy1eDK73cmaVPnxPUGWmMnQXUi
TLab+w8tBQhNbq6BOQ42aOrLxA8k/M4cV1A=</value>
</property>
Picketlink POC Server
The knoxsso endpoint at this point is represented by a simple embedded jetty server hosting a webapp with a number of filters.
...