calcite-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Shi Wang" <shiw...@us.ibm.com>
Subject Re: When connect to PQS thin client through proxy server using spnego.
Date Mon, 06 Mar 2017 21:11:18 GMT
Thanks Josh!

I tried using the same basic authentication query as there is no spnego 
but somehow it will stuck for a while before open the shell and show 
timeout error. And this happened also when I did spnego auth without 
specify keytab and principal in the query. But if I put keytab and 
principal together with basic auth credentials it will show 401. 

And by the way I submitted a new patch to calcite-1539 please take a look, 
thanks :)

Best,
Shi



From:   Josh Elser <elserj@apache.org>
To:     dev@calcite.apache.org
Date:   03/06/2017 11:06 AM
Subject:        Re: When connect to PQS thin client through proxy server 
using spnego.



You don't (typically) :)

The thin client needs to authenticate to the proxy server and then the 
proxy server would perform the SPNEGO authentication as itself to the 
backend server (PQS).

One of the perks of using a proxy server like this is that you can use a 
very simple authentication method to the proxy server (HTTP BASIC auth) 
instead of SPNEGO (which is much more error-prone).

Assuming your situation hasn't changed, this would be some amount of 
configuration of Apache Knox to authenticate to PQS and "impersonate" 
you. This might be dependent on some Knox work (configuration, if 
nothing else), maybe also on your patch from CALCITE-1539.

Shi Wang wrote:
> Hi,
>
> Normally if I use PQS thin client SPNEGO authentication, just need to
> specify keytab and principal in the query string. But if before reaching
> PQS, need to do Basic auth to a proxy server. How do I encapsulate both
> the credential for Basic auth and the SPNEGO credential?
>
> Best,
> Shi
>
>
>
>






Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message