title Hadoop Web UI SSO with Knox Token Exchange from SAML
skinparam sequence {
LifeLineBackgroundColor lightyellow
}
hide footbox
autonumber
participant "Browser" as ua
participant "Ambari\nServer UI" as ms #lime
participant "HDFS\nNN UI" as nn #lime
participant "Knox" as gw #lime
participant "SAML IdP\n(eg Shibboleth)" as idp
participant "LDAP or\nActiveDirectory" as as
activate ua
ua -> ms: ambari-view-url.GET()
activate ms
ua <-- ms: redirect302(knox-url,ambari-url)
deactivate ms
ua -> gw: knox-url.GET(ambari-url)
activate gw
|||
group SAML
ua <-- gw: ok200(idp-redirect-form[idp-url,knox-url,ambari-url])
note right: Redirect forms auto submitted\nvia embedded JavaScript
deactivate gw
ua -> idp: idp-url.POST(knox-url,ambari-url)
activate idp
ua <-- idp: ok200(idp-login-form[idp-url,knox-url,ambari-url])
deactivate idp
ua -> idp: idp-url.POST(username,password,knox-url,ambari-url)
activate idp
idp -> as: authenticate\n(usernme,password)
ua <-- idp: ok200(knox-redirect-form[knox-url,ambari-url,idp-token])
deactivate idp
ua -> gw: knox-url.POST(ambari-url,idp-token)
activate gw
|||
end group
ua <-- gw: ok200(ambari-redirect-form[ambari-url,knox-token],knox-cookie)
note right: Token exchange
deactivate gw
ua -> ms: ambari-url.POSTGET(knox-token)
activate ms
ua <-- ms: redirect302(ambari-url,ambari-cookie)
deactivate ms
ua -> ms: ambari-url.GET(ambari-cookie)
activate ms
ua <-- ms: ok200(ambari-view)
deactivate ms
...
note over ua, as: Subsequent uses of other UIs do not require authentication/SAML due to knox-cookie in Browser
ua -> nn: nn-url.GET()
activate nn
ua <-- nn: redirect302(knox-url,nn-url)
deactivate nn
ua -> gw: knox-url.GET(nn-url,knox-cookie)
activate gw
ua <-- gw: ok200(nn-redirect-form[nn-url,knox-token])
deactivate gw
ua -> nn: nn-url.POSTGET(knox-token)
activate nn
ua <-- nn: redirect302(nn-url,nn-cookie)
deactivate nn
ua -> nn: nn-url.GET(nn-cookie)
activate nn
ua <-- nn: ok200(nn-view)
deactivate nn
deactivate ua
| 