THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
PlantUML | ||
---|---|---|
| ||
title Hadoop Web UI SSO with Knox Token Exchange from SAML |
...
skinparam sequence { |
...
LifeLineBackgroundColor lightyellow |
...
} |
...
hide footbox |
...
autonumber |
...
participant "Browser" as ua |
...
participant "Ambari\nServer UI" as ms #lime |
...
participant "HDFS\nNN UI" as nn #lime |
...
participant "Knox" as gw #lime |
...
participant "SAML IdP\n(eg Shibboleth)" as idp |
...
participant "LDAP or\nActiveDirectory" as as |
...
activate ua |
...
ua -> ms: ambari-view-url.GET() |
...
activate ms |
...
ua <-- ms: redirect302(knox-url,ambari-url) |
...
deactivate ms |
...
ua -> gw: knox-url.GET(ambari-url) |
...
activate gw |
...
||| |
...
group SAML |
...
ua <-- gw: ok200(idp-redirect-form[idp-url,knox-url,ambari-url]) |
...
note right: Redirect forms auto submitted\nvia embedded JavaScript |
...
deactivate gw |
...
ua -> idp: idp-url.POST(knox-url,ambari-url) |
...
activate idp |
...
ua <-- idp: ok200(idp-login-form[idp-url,knox-url,ambari-url]) |
...
deactivate idp |
...
ua -> idp: idp-url.POST(username,password,knox-url,ambari-url) |
...
activate idp |
...
idp -> as: authenticate\n(usernme,password) |
...
ua <-- idp: ok200(knox-redirect-form[knox-url,ambari-url,idp-token]) |
...
deactivate idp |
...
ua -> gw: knox-url.POST(ambari-url,idp-token) |
...
activate gw |
...
||| |
...
end group |
...
ua <-- gw: ok200(ambari-redirect-form[ambari-url,knox-token],knox-cookie) |
...
note right: Token exchange |
...
deactivate gw |
...
ua -> ms: ambari-url. |
...
POST(knox-token) |
...
activate ms |
...
ua <-- ms: redirect302(ambari-url,ambari-cookie) |
...
deactivate ms |
...
ua -> ms: ambari-url.GET(ambari-cookie) |
...
activate ms |
...
ua <-- ms: ok200(ambari-view) |
...
deactivate ms |
...
... |
...
note over ua, as: Subsequent uses of other UIs do not require authentication/SAML due to knox-cookie in Browser |
...
ua -> nn: nn-url.GET() |
...
activate nn |
...
ua <-- nn: redirect302(knox-url,nn-url) |
...
deactivate nn |
...
ua -> gw: knox-url.GET(nn-url,knox-cookie) |
...
activate gw |
...
ua <-- gw: ok200(nn-redirect-form[nn-url,knox-token]) |
...
deactivate gw |
...
ua -> nn: nn-url. |
...
POST(knox-token) |
...
activate nn |
...
ua <-- nn: redirect302(nn-url,nn-cookie) |
...
deactivate nn |
...
ua -> nn: nn-url.GET(nn-cookie) |
...
activate nn |
...
ua <-- nn: ok200(nn-view) |
...
deactivate nn |
...
deactivate ua |