Return-Path: X-Original-To: apmail-falcon-dev-archive@minotaur.apache.org Delivered-To: apmail-falcon-dev-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 2C4D917818 for ; Sun, 15 Feb 2015 21:07:36 +0000 (UTC) Received: (qmail 9001 invoked by uid 500); 15 Feb 2015 21:07:36 -0000 Delivered-To: apmail-falcon-dev-archive@falcon.apache.org Received: (qmail 8953 invoked by uid 500); 15 Feb 2015 21:07:36 -0000 Mailing-List: contact dev-help@falcon.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@falcon.apache.org Delivered-To: mailing list dev@falcon.apache.org Received: (qmail 8942 invoked by uid 99); 15 Feb 2015 21:07:36 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 15 Feb 2015 21:07:36 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED,T_RP_MATCHES_RCVD X-Spam-Check-By: apache.org Received: from [140.211.11.3] (HELO mail.apache.org) (140.211.11.3) by apache.org (qpsmtpd/0.29) with SMTP; Sun, 15 Feb 2015 21:07:14 +0000 Received: (qmail 8810 invoked by uid 99); 15 Feb 2015 21:07:12 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 15 Feb 2015 21:07:12 +0000 Date: Sun, 15 Feb 2015 21:07:12 +0000 (UTC) From: "kenneth ho (JIRA)" To: dev@falcon.incubator.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Created] (FALCON-1027) Falcon REST API trusted proxy support MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 X-Virus-Checked: Checked by ClamAV on apache.org kenneth ho created FALCON-1027: ---------------------------------- Summary: Falcon REST API trusted proxy support Key: FALCON-1027 URL: https://issues.apache.org/jira/browse/FALCON-1027 Project: Falcon Issue Type: Bug Affects Versions: 0.6 Reporter: kenneth ho Fix For: 0.6 In the Dal timeframe Knox would like to be able to expose the Falcon REST API via the gateway. In order for that to work securely it must be possible to setup a trust relationship between Knox and Falcon. This is commonly done in other Hadoop ecosystem components using a combination of Kerberos/SPNego and a doas URL query parameter. This provides a mechanism for Falcon to strongly authenticate Knox as a trusted proxy, ensuring that it can trust the identity assertions made via the doas query parameter. The links below provide some information describing how this is done for core Hadoop. Also note that most components utilize Hadoop core's reusable hadoop-auth module to implement this functionality. http://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-hdfs/WebHDFS.html#Proxy_Users http://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-common/SecureMode.html#Proxy_user -- This message was sent by Atlassian JIRA (v6.3.4#6332)