Hi, I am writing a Java application that needs to access to HDP services through Knox. I want to have authentication at Knox to protect my cluster. I understand that I'll connect Knox to my LDAP server. How can my application will authenticate to Knox in order to access to HDP services ? can I avoid sending username/password when call Knox API ?
I am on HDP 2.5
To be more accurate, when a user call a service through Knox, he provides user-name/password in the curl command.
Are these credentials sent unencrypted over the wire and hence can be spoofed ? if yes, does ssl provide a solution for this ?
How can a client authenticate to Knox without provide these information ? (tokens, or other solution)
I have been reading about SPENGO but I don't understand how all these protocols interact.
@Adel Ouazani Knox requires User to provide Username/Password for authentication. Knox can be configured to use Basic/LDAP/AD/Single Sign-On (SAML based Identity Provider e.g. Okta or default Form-based authentication provided with Knox). Knox uses HTTPS by default and out-of-the-box and hence credentials won't be sent unencrypted. After successful authentication, Knox uses it's own SPNEGO (Kerberos) keytab to authenticate with other hadoop services e.g. WebHDFS, Hive, Oozie, etc.
@Krishna Pandey Suppose we want a specific node to be authenticated by Knox such that whenever a request comes from the node it is entertained without requiring username-password. How can it be done?
I have asked it here at https://community.hortonworks.com/questions/155452/how-can-we-authenticate-a-node-via-knox.html