Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Multiple Auth Backends with desktop.auth.backend.SpnegoDjangoBackend

Highlighted

Multiple Auth Backends with desktop.auth.backend.SpnegoDjangoBackend

Explorer

I've successfully configured multiple auth backends with desktop.auth.backend.PamBackend and desktop.auth.backend.AllowFirstUserDjangoBackend, just to make sure I was configuring it correctly. But what I would really like is to incorporate desktop.auth.backend.SpnegoDjangoBackend as one of the auth methods. My goal is to allow users who have a krb5 ticket to get right in, but if the user does not have a ticket, they get password prompted to authenticate via PAM.

When I replace AllowFirstUserDjangoBackend with SpnegoDjangoBackend, if I have a ticket I get right in. If I do not have a ticket, rather than falling back to desktop.auth.backend.PamBackend, I get the message: "401 Unauthorized" in my browser.

I've tried it before PamBackend:

[[auth]]
backend=desktop.auth.backend.SpnegoDjangoBackend,desktop.auth.backend.PamBackend

I've tried it after PamBackend:

[[auth]]
backend=desktop.auth.backend.PamBackend,desktop.auth.backend.SpnegoDjangoBackend

both exhibited same behavior. My question is: is it possible to incorporate SpnegoDjangoBackend into a multiple auth backend scenario?

Thanks,
Jonathan

1 REPLY 1

Re: Multiple Auth Backends with desktop.auth.backend.SpnegoDjangoBackend

Problem with Spnego is that it is actually performing the checks in a
middleware
https://github.com/cloudera/hue/blob/master/desktop/core/src/desktop/middleware.py#L516
and not in the authenticate method of the backend (so the retry logic with
another bakcned won't work with Spnego).

Too bad that
[[auth]]
backend=desktop.auth.backend.PamBackend,desktop.auth.
backend.SpnegoDjangoBackend

Does not work as PamBackend seems to follow the Django backend protocol
correctly.

Do you see any hints in the logs on why it Pam does not get tried first,
then Spnego?
Don't have an account?
Coming from Hortonworks? Activate your account here