SlideShare uma empresa Scribd logo

Apache Knox Gateway "Single Sign On" expands the reach of the Enterprise Users

Transferir como PPTX, PDF
DataWorks Summit
DataWorks Summit

Apache Knox Gateway is a proxy for interacting with Apache Hadoop clusters in a secure way providing authentication, service level authorization, and many other extensions to secure any HTTP interactions in your cluster. One main feature of Apache Knox Gateway is the ability to extend the reach of your REST APIs to the internet while still securing your cluster and working with Kerberos. Recent contributions to the Apache Knox community have added support for Single Sign On (SSO) based on Pac4j 1.8.9 which is a very powerful security engine which provides SSO support through SAML2, OAuth, OpenID, and CAS. In addition, through recent community contributions Apache Ambari, and Apache Ranger can now also provide SSO authentication through Knox. This paper will discuss the architecture of Knox SSO, it will explain how enterprise user could benefit by this feature and will present enterprise use cases for Knox SSO, and integration with open source Shibboleth, ADFS Windows server Idp support, and Okta cloud Idp.

Tecnologia
1 de 22
Apache Knox Gateway “Single Sign On” expands the reach of the Enterprise users Jeffrey E Rodriguez Viaña Tanping Wang June 2017
Who Am I? • Jeffrey E Rodriguez • Senior BigData Engineer/Tech Security Leader • Work @ IBM. • Apache Hadoop/Knox contributor. • Apache Xerces committer. • https://www.linkedin.com/in/jeffrey rodriguezinnovationperu/
Apache Knox Gateway is a proxy for interacting with Apache Hadoop clusters in a secure way providing authentication, service level authorization, and many other extensions to secure any HTTP interactions in your cluster. One feature of Apache Knox Gateway is the ability to extend the reach of your REST APIs to the internet while still securing your cluster and working with Kerberos. Recent contributions to the Apache Knox community have added support for Single Sign On (SSO) based on Pac4j 1.8.9 which is a very powerful security engine which provides SSO support through SAML2, OAuth, OpenID, and CAS. In addition, through recent community contributions Apache Ambari, Apache Atlas and Apache Ranger can now also provide SSO authentication through Knox. This presentation will discuss the architecture of Knox SSO, it will explain how enterprise user could benefit by this feature and will present enterprise use cases for Knox SSO, and integration with open source Shibboleth, ADFS Windows server Idp support, and Okta cloud Idp.
Single Sign On (SSO) Case
Single Sign On/Federation • Knox “SSO” is not a Kerberos or Ldap replacement but an effective way to distribute enterprise authentication resources. • You don’t longer need to proliferate authentication resources (LDAP, KDCs, etc) but you can put these resources behind Identity providers such as Shibboleth, ADFS, WSO2, Okta. • You can also do identity management through Idp services. This means user identity lifecycle, credentials and authorization can be manage in one single place.
• The Apache Knox Gateway is a system that provides a single point of authentication and access for Apache™ Hadoop® services. It provides the following features: Single REST API Access Point. Centralized authentication, authorization and auditing for Hadoop REST/HTTP services.
• An Identity provider is defined as "A kind of provider that creates, maintains, and manages identity information for principals and provides principal authentication to other service providers within a federation, such as with web browser profiles
Knox Idps 1. Form-based identity Provider – Knox has a customizable form application which leverages JWT. – AKA local SSO • JWT, JSON Web Token – RFC7797. • “JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted.” • SAML – based identity Provider • This is set through the knoxsso.xml topology.
Knox Idps infrastructure 2. SAML-based Identity Provider (IdP) • This leverages PAC4J lib to add support for SAML, CAS, Oauth, OpenId. • Also requires changes to knoxsso.xml and default.xml topologies. • At the time of this presentation there is no support for establishing groups from the SAML assertion and the participating applications must use a group lookup to establish group membership based on username.
Single Sign On Providers • Case allows a web application builder like our demo KnoxExplorer (on a different domain www.local.com), reach out Hadoop HDFS cluster data in a secure way and process/transform/analyze such data. • There are many commercial identity providers as a service available but enterprises have many choices: • Host their own SAML, Oauth, etc identity provider using IBM TFIM (IBM Tivoli Federation Identity Manager) or Microsoft Active Directory Federated Services (ADFS). • Use a comercial web service as Okta cloud Idp. • User IBM Bluemix clous SSO as a Service APIs. • There are Ambari Single Sign On services such as https://www.onelogin.com/connector/ambari-single-sign-on
Knox starting in Knox 0.8.0 has SSO support ( CAS/OAuth/OpenID/SAML) using pac4j pac4j is a Java security engine to authenticate users, get their profiles and manage their authorizations in order to secure Java web applications. It supports many authentication mechanisms for UI and web services and is implemented by many frameworks and tools. For Knox, it is used as a federation provider to support the OAuth, CAS, SAML and OpenID Connect protocols. It must be used for SSO, in association with the KnoxSSO service and optionally with the SSOCookieProvider for access to REST APIs.
Knox SSO Providers/Services • KnoxSSO Default Form-based IDP - The default configuration of KnoxSSO provides a form-based authentication mechanism that leverages the Shiro authentication to authenticate against LDAP/AD with credentials collected from a form- based challenge. • Pac4J - The pac4j provider adds numerous authentication and federation capabilities including: SAML, CAS, OpenID Connect, Google,Twitter, etc. • HeaderPreAuth - A simple mechanism for propagating the identity through HTTP Headers that specify the username and group for the authenticated user. This has been built with vendor usecases such as SiteMinder and IBM Tivoli Access Manager.
Knox SSO Providers/Services • KnoxSSO - The KnoxSSO service is an integration service that provides a normalized SSO token for representing the authenticated user. This token is generally used for WebSSO capabilities for participating UIs and their consumption of the Apache Hadoop REST APIs. KnoxSSO abstracts the actual identity provider integration away from participating applications so that they only need to be aware of the KnoxSSO cookie. The token is presented by the browser as a cookie and applications that are participating in the KnoxSSO integration are able to cryptographically validate the presented token and remain agnostic to the underlying SSO integration.
SAML ( Almost other known SSO solution follows similar pattern) • Security Assertion Markup Language (XML based).
Knox SAML Arch flow
SSO SAML Idp Services • ADFS – Active Directory Federation Services. • Shibboleth – Enterprise and Cloud Idp. • Bluemix Single Sign On for Bluemix and Bluemix Identity bridge. • IBM Tivoli Federated Identity Manager • Bitium • Microsoft Azure Active Directory • Centrify • RSA SecurID • OneLogin
SSO SAML Idp Services… • Gigya • SalesForce App Cloud Identity • ManageEngine ADManager Plus • NetIQ Access Manager • CA Identity Manager • Oracle Identity Management • AWS Identity and Access Management (IAM) • Foxpass
SSO SAML Idp Services… • NetIQ Indentity Manager • WSO2 Identity Manager • PingOne • Covisint Cloud Identity • CloudSOC • SecureAuth IdP
ADFS SSO solution for Windows • You can configure FS services in AD (ActiveDirectory) so ADFS can serve as and Idp server and support SAML.
Shibboleth IdP 3.x Service • Shibboleth is a standards based, open source software package for web single sign-on across or within organizational boundaries. • Open source project providing Idp through SAML • Supports SAM 2.0 • You can configure Shibboleth with FreeIPA. • Shibboleth IOP V3 • Either build it from source or try it using docker image: “docker run - it -v $(pwd):/ext-mount --rm unicon/shibboleth-idp init-idp.sh”
Conclusion • Knox provides a secure SSL access to Hadoop REST APIs and UI’s. • The support of SSO by Knox allows to manage Authentication in a more efficient and manageable way by leveraging Identity Provider services through SAML. • You can either use a commercial SaaS Identity providers like Okta or roll your own using your existing Enterprise middleware like ADFS or even using Shibboleth Idp as an open source alternative. • We will add a Shibboleth Idp Knox SSO demo and provide future blogs on this integration through the Knox community. • Knox Supports SSO for Ambari, Apache Ranger, and Apache Atlas.
Q&A

Recomendados

Hadoop REST API Security with Apache Knox Gateway
Hadoop REST API Security with Apache Knox GatewayHadoop REST API Security with Apache Knox Gateway
Hadoop REST API Security with Apache Knox Gateway
DataWorks Summit
 
Apache Knox - Hadoop Security Swiss Army Knife
Apache Knox - Hadoop Security Swiss Army KnifeApache Knox - Hadoop Security Swiss Army Knife
Apache Knox - Hadoop Security Swiss Army Knife
DataWorks Summit
 
Manage Add-On Services with Apache Ambari
Manage Add-On Services with Apache AmbariManage Add-On Services with Apache Ambari
Manage Add-On Services with Apache Ambari
DataWorks Summit
 
Hadoop security
Hadoop securityHadoop security
Hadoop security
Shivaji Dutta
 
Ambari: Agent Registration Flow
Ambari: Agent Registration FlowAmbari: Agent Registration Flow
Ambari: Agent Registration Flow
Hortonworks
 
Apache Ranger
Apache RangerApache Ranger
Apache Ranger
Rommel Garcia
 
TriHUG October: Apache Ranger
TriHUG October: Apache RangerTriHUG October: Apache Ranger
TriHUG October: Apache Ranger
trihug
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
Guy Marom
 

Recomendados

Hadoop REST API Security with Apache Knox Gateway
Hadoop REST API Security with Apache Knox GatewayHadoop REST API Security with Apache Knox Gateway
Hadoop REST API Security with Apache Knox Gateway
DataWorks Summit
 
Apache Knox - Hadoop Security Swiss Army Knife
Apache Knox - Hadoop Security Swiss Army KnifeApache Knox - Hadoop Security Swiss Army Knife
Apache Knox - Hadoop Security Swiss Army Knife
DataWorks Summit
 
Manage Add-On Services with Apache Ambari
Manage Add-On Services with Apache AmbariManage Add-On Services with Apache Ambari
Manage Add-On Services with Apache Ambari
DataWorks Summit
 
Hadoop security
Hadoop securityHadoop security
Hadoop security
Shivaji Dutta
 
Ambari: Agent Registration Flow
Ambari: Agent Registration FlowAmbari: Agent Registration Flow
Ambari: Agent Registration Flow
Hortonworks
 
Apache Ranger
Apache RangerApache Ranger
Apache Ranger
Rommel Garcia
 
TriHUG October: Apache Ranger
TriHUG October: Apache RangerTriHUG October: Apache Ranger
TriHUG October: Apache Ranger
trihug
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
Guy Marom
 
Managing your Hadoop Clusters with Apache Ambari
Managing your Hadoop Clusters with Apache AmbariManaging your Hadoop Clusters with Apache Ambari
Managing your Hadoop Clusters with Apache Ambari
DataWorks Summit
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
Abhishek Koserwal
 
Managing 2000 Node Cluster with Ambari
Managing 2000 Node Cluster with AmbariManaging 2000 Node Cluster with Ambari
Managing 2000 Node Cluster with Ambari
DataWorks Summit
 
Apache Hadoop Security - Ranger
Apache Hadoop Security - RangerApache Hadoop Security - Ranger
Apache Hadoop Security - Ranger
Isheeta Sanghi
 
Extending Apache Ranger Authorization Beyond Hadoop: Review of Apache Ranger ...
Extending Apache Ranger Authorization Beyond Hadoop: Review of Apache Ranger ...Extending Apache Ranger Authorization Beyond Hadoop: Review of Apache Ranger ...
Extending Apache Ranger Authorization Beyond Hadoop: Review of Apache Ranger ...
DataWorks Summit
 
Intro to AWS: Database Services
Intro to AWS: Database ServicesIntro to AWS: Database Services
Intro to AWS: Database Services
Amazon Web Services
 
Implementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on KeycloakImplementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on Keycloak
Yuichi Nakamura
 
Overview of new features in Apache Ranger
Overview of new features in Apache RangerOverview of new features in Apache Ranger
Overview of new features in Apache Ranger
DataWorks Summit
 
Palo alto networks product overview
Palo alto networks product overviewPalo alto networks product overview
Palo alto networks product overview
Belsoft
 
Elastic stack Presentation
Elastic stack PresentationElastic stack Presentation
Elastic stack Presentation
Amr Alaa Yassen
 
Hadoop Meetup Jan 2019 - Overview of Ozone
Hadoop Meetup Jan 2019 - Overview of OzoneHadoop Meetup Jan 2019 - Overview of Ozone
Hadoop Meetup Jan 2019 - Overview of Ozone
Erik Krogen
 
HATEOAS: The Confusing Bit from REST
HATEOAS: The Confusing Bit from RESTHATEOAS: The Confusing Bit from REST
HATEOAS: The Confusing Bit from REST
elliando dias
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack Architecture
Mirantis
 
DataPower Security Hardening
DataPower Security HardeningDataPower Security Hardening
DataPower Security Hardening
Shiu-Fun Poon
 
Apache Bigtop: a crash course in deploying a Hadoop bigdata management platform
Apache Bigtop: a crash course in deploying a Hadoop bigdata management platformApache Bigtop: a crash course in deploying a Hadoop bigdata management platform
Apache Bigtop: a crash course in deploying a Hadoop bigdata management platform
rhatr
 
Session 8 - Creating Data Processing Services | Train the Trainers Program
Session 8 - Creating Data Processing Services | Train the Trainers ProgramSession 8 - Creating Data Processing Services | Train the Trainers Program
Session 8 - Creating Data Processing Services | Train the Trainers Program
FIWARE
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with Keycloak
Julien Pivotto
 
Troubleshooting Kerberos in Hadoop: Taming the Beast
Troubleshooting Kerberos in Hadoop: Taming the BeastTroubleshooting Kerberos in Hadoop: Taming the Beast
Troubleshooting Kerberos in Hadoop: Taming the Beast
DataWorks Summit
 
Fluentd Overview, Now and Then
Fluentd Overview, Now and ThenFluentd Overview, Now and Then
Fluentd Overview, Now and Then
SATOSHI TAGOMORI
 
AWS Secrets Manager
AWS Secrets ManagerAWS Secrets Manager
AWS Secrets Manager
Amazon Web Services
 
Information security in big data -privacy and data mining
Information security in big data -privacy and data miningInformation security in big data -privacy and data mining
Information security in big data -privacy and data mining
harithavijay94
 
Apache Knox setup and hive and hdfs Access using KNOX
Apache Knox setup and hive and hdfs Access using KNOXApache Knox setup and hive and hdfs Access using KNOX
Apache Knox setup and hive and hdfs Access using KNOX
Abhishek Mallick
 

Mais conteúdo relacionado

Mais procurados

Managing your Hadoop Clusters with Apache Ambari
Managing your Hadoop Clusters with Apache AmbariManaging your Hadoop Clusters with Apache Ambari
Managing your Hadoop Clusters with Apache Ambari
DataWorks Summit
 
Managing 2000 Node Cluster with Ambari
Managing 2000 Node Cluster with AmbariManaging 2000 Node Cluster with Ambari
Managing 2000 Node Cluster with Ambari
DataWorks Summit
 
Extending Apache Ranger Authorization Beyond Hadoop: Review of Apache Ranger ...
Extending Apache Ranger Authorization Beyond Hadoop: Review of Apache Ranger ...Extending Apache Ranger Authorization Beyond Hadoop: Review of Apache Ranger ...
Extending Apache Ranger Authorization Beyond Hadoop: Review of Apache Ranger ...
DataWorks Summit
 
Intro to AWS: Database Services
Intro to AWS: Database ServicesIntro to AWS: Database Services
Intro to AWS: Database Services
Amazon Web Services
 
Overview of new features in Apache Ranger
Overview of new features in Apache RangerOverview of new features in Apache Ranger
Overview of new features in Apache Ranger
DataWorks Summit
 
Palo alto networks product overview
Palo alto networks product overviewPalo alto networks product overview
Palo alto networks product overview
Belsoft
 
HATEOAS: The Confusing Bit from REST
HATEOAS: The Confusing Bit from RESTHATEOAS: The Confusing Bit from REST
HATEOAS: The Confusing Bit from REST
elliando dias
 
Apache Bigtop: a crash course in deploying a Hadoop bigdata management platform
Apache Bigtop: a crash course in deploying a Hadoop bigdata management platformApache Bigtop: a crash course in deploying a Hadoop bigdata management platform
Apache Bigtop: a crash course in deploying a Hadoop bigdata management platform
rhatr
 
Troubleshooting Kerberos in Hadoop: Taming the Beast
Troubleshooting Kerberos in Hadoop: Taming the BeastTroubleshooting Kerberos in Hadoop: Taming the Beast
Troubleshooting Kerberos in Hadoop: Taming the Beast
DataWorks Summit
 

Mais procurados (20)

Managing your Hadoop Clusters with Apache Ambari
Managing your Hadoop Clusters with Apache AmbariManaging your Hadoop Clusters with Apache Ambari
Managing your Hadoop Clusters with Apache Ambari
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
 
Managing 2000 Node Cluster with Ambari
Managing 2000 Node Cluster with AmbariManaging 2000 Node Cluster with Ambari
Managing 2000 Node Cluster with Ambari
 
Apache Hadoop Security - Ranger
Apache Hadoop Security - RangerApache Hadoop Security - Ranger
Apache Hadoop Security - Ranger
 
Extending Apache Ranger Authorization Beyond Hadoop: Review of Apache Ranger ...
Extending Apache Ranger Authorization Beyond Hadoop: Review of Apache Ranger ...Extending Apache Ranger Authorization Beyond Hadoop: Review of Apache Ranger ...
Extending Apache Ranger Authorization Beyond Hadoop: Review of Apache Ranger ...
 
Intro to AWS: Database Services
Intro to AWS: Database ServicesIntro to AWS: Database Services
Intro to AWS: Database Services
 
Implementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on KeycloakImplementing WebAuthn & FAPI supports on Keycloak
Implementing WebAuthn & FAPI supports on Keycloak
 
Overview of new features in Apache Ranger
Overview of new features in Apache RangerOverview of new features in Apache Ranger
Overview of new features in Apache Ranger
 
Palo alto networks product overview
Palo alto networks product overviewPalo alto networks product overview
Palo alto networks product overview
 
Elastic stack Presentation
Elastic stack PresentationElastic stack Presentation
Elastic stack Presentation
 
Hadoop Meetup Jan 2019 - Overview of Ozone
Hadoop Meetup Jan 2019 - Overview of OzoneHadoop Meetup Jan 2019 - Overview of Ozone
Hadoop Meetup Jan 2019 - Overview of Ozone
 
HATEOAS: The Confusing Bit from REST
HATEOAS: The Confusing Bit from RESTHATEOAS: The Confusing Bit from REST
HATEOAS: The Confusing Bit from REST
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack Architecture
 
DataPower Security Hardening
DataPower Security HardeningDataPower Security Hardening
DataPower Security Hardening
 
Apache Bigtop: a crash course in deploying a Hadoop bigdata management platform
Apache Bigtop: a crash course in deploying a Hadoop bigdata management platformApache Bigtop: a crash course in deploying a Hadoop bigdata management platform
Apache Bigtop: a crash course in deploying a Hadoop bigdata management platform
 
Session 8 - Creating Data Processing Services | Train the Trainers Program
Session 8 - Creating Data Processing Services | Train the Trainers ProgramSession 8 - Creating Data Processing Services | Train the Trainers Program
Session 8 - Creating Data Processing Services | Train the Trainers Program
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with Keycloak
 
Troubleshooting Kerberos in Hadoop: Taming the Beast
Troubleshooting Kerberos in Hadoop: Taming the BeastTroubleshooting Kerberos in Hadoop: Taming the Beast
Troubleshooting Kerberos in Hadoop: Taming the Beast
 
Fluentd Overview, Now and Then
Fluentd Overview, Now and ThenFluentd Overview, Now and Then
Fluentd Overview, Now and Then
 
AWS Secrets Manager
AWS Secrets ManagerAWS Secrets Manager
AWS Secrets Manager
 

Destaque

Built-In Security for the Cloud
Built-In Security for the CloudBuilt-In Security for the Cloud
Built-In Security for the Cloud
DataWorks Summit
 
Improvements in Hadoop Security
Improvements in Hadoop SecurityImprovements in Hadoop Security
Improvements in Hadoop Security
DataWorks Summit
 
An Approach for Multi-Tenancy Through Apache Knox
An Approach for Multi-Tenancy Through Apache KnoxAn Approach for Multi-Tenancy Through Apache Knox
An Approach for Multi-Tenancy Through Apache Knox
DataWorks Summit/Hadoop Summit
 
Treat your enterprise data lake indigestion: Enterprise ready security and go...
Treat your enterprise data lake indigestion: Enterprise ready security and go...Treat your enterprise data lake indigestion: Enterprise ready security and go...
Treat your enterprise data lake indigestion: Enterprise ready security and go...
DataWorks Summit
 

Destaque (20)

Information security in big data -privacy and data mining
Information security in big data -privacy and data miningInformation security in big data -privacy and data mining
Information security in big data -privacy and data mining
 
Apache Knox setup and hive and hdfs Access using KNOX
Apache Knox setup and hive and hdfs Access using KNOXApache Knox setup and hive and hdfs Access using KNOX
Apache Knox setup and hive and hdfs Access using KNOX
 
Built-In Security for the Cloud
Built-In Security for the CloudBuilt-In Security for the Cloud
Built-In Security for the Cloud
 
Hadoop & Security - Past, Present, Future
Hadoop & Security - Past, Present, FutureHadoop & Security - Past, Present, Future
Hadoop & Security - Past, Present, Future
 
Improvements in Hadoop Security
Improvements in Hadoop SecurityImprovements in Hadoop Security
Improvements in Hadoop Security
 
An Approach for Multi-Tenancy Through Apache Knox
An Approach for Multi-Tenancy Through Apache KnoxAn Approach for Multi-Tenancy Through Apache Knox
An Approach for Multi-Tenancy Through Apache Knox
 
Hadoop
HadoopHadoop
Hadoop
 
Treat your enterprise data lake indigestion: Enterprise ready security and go...
Treat your enterprise data lake indigestion: Enterprise ready security and go...Treat your enterprise data lake indigestion: Enterprise ready security and go...
Treat your enterprise data lake indigestion: Enterprise ready security and go...
 
Hdp security overview
Hdp security overview Hdp security overview
Hdp security overview
 
Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...
Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...
Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...
 
Big Data and Security - Where are we now? (2015)
Big Data and Security - Where are we now? (2015)Big Data and Security - Where are we now? (2015)
Big Data and Security - Where are we now? (2015)
 
Big Data Security with Hadoop
Big Data Security with HadoopBig Data Security with Hadoop
Big Data Security with Hadoop
 
Hadoop Security Today & Tomorrow with Apache Knox
Hadoop Security Today & Tomorrow with Apache KnoxHadoop Security Today & Tomorrow with Apache Knox
Hadoop Security Today & Tomorrow with Apache Knox
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
 
Hadoop and Data Access Security
Hadoop and Data Access SecurityHadoop and Data Access Security
Hadoop and Data Access Security
 
Hadoop Internals (2.3.0 or later)
Hadoop Internals (2.3.0 or later)Hadoop Internals (2.3.0 or later)
Hadoop Internals (2.3.0 or later)
 
Hadoop Security Architecture
Hadoop Security ArchitectureHadoop Security Architecture
Hadoop Security Architecture
 
HADOOP TECHNOLOGY ppt
HADOOP TECHNOLOGY pptHADOOP TECHNOLOGY ppt
HADOOP TECHNOLOGY ppt
 
Cours Big Data Chap1
Cours Big Data Chap1Cours Big Data Chap1
Cours Big Data Chap1
 
Hadoop Overview & Architecture
Hadoop Overview & Architecture Hadoop Overview & Architecture
Hadoop Overview & Architecture
 

Semelhante a Apache Knox Gateway "Single Sign On" expands the reach of the Enterprise Users

WebLogic authentication debugging
WebLogic authentication debuggingWebLogic authentication debugging
WebLogic authentication debugging
Maarten Smeets
 
InfoTRAMS - Czy platforma Microsoft Azure jest biznoseow bezpieczna?
InfoTRAMS - Czy platforma Microsoft Azure jest biznoseow bezpieczna?InfoTRAMS - Czy platforma Microsoft Azure jest biznoseow bezpieczna?
InfoTRAMS - Czy platforma Microsoft Azure jest biznoseow bezpieczna?
Tobias Koprowski
 
CTU June 2011 - Windows Azure App Fabric
CTU June 2011 - Windows Azure App FabricCTU June 2011 - Windows Azure App Fabric
CTU June 2011 - Windows Azure App Fabric
Spiffy
 
Getting Started with Windows Workloads on Amazon EC2 - Toronto
Getting Started with Windows Workloads on Amazon EC2 - Toronto Getting Started with Windows Workloads on Amazon EC2 - Toronto
Getting Started with Windows Workloads on Amazon EC2 - Toronto
Amazon Web Services
 
How AD has been re-engineered to extend to the cloud
How AD has been re-engineered to extend to the cloudHow AD has been re-engineered to extend to the cloud
How AD has been re-engineered to extend to the cloud
LDAPCon
 
Cloud Native Application Development-build fast, low TCO, scalable & agile so...
Cloud Native Application Development-build fast, low TCO, scalable & agile so...Cloud Native Application Development-build fast, low TCO, scalable & agile so...
Cloud Native Application Development-build fast, low TCO, scalable & agile so...
Lucas Jellema
 

Semelhante a Apache Knox Gateway "Single Sign On" expands the reach of the Enterprise Users (20)

“Secure Portal” or WebSphere Portal – Security with Everything
“Secure Portal” or WebSphere Portal – Security with Everything“Secure Portal” or WebSphere Portal – Security with Everything
“Secure Portal” or WebSphere Portal – Security with Everything
 
IBM BP Session - Multiple CLoud Paks and Cloud Paks Foundational Services.pptx
IBM BP Session - Multiple CLoud Paks and Cloud Paks Foundational Services.pptxIBM BP Session - Multiple CLoud Paks and Cloud Paks Foundational Services.pptx
IBM BP Session - Multiple CLoud Paks and Cloud Paks Foundational Services.pptx
 
Introduction to the WSO2 Identity Server &Contributing to an OS Project
Introduction to the WSO2 Identity Server &Contributing to an OS ProjectIntroduction to the WSO2 Identity Server &Contributing to an OS Project
Introduction to the WSO2 Identity Server &Contributing to an OS Project
 
Building IAM for OpenStack
Building IAM for OpenStackBuilding IAM for OpenStack
Building IAM for OpenStack
 
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
 
IBM Open Cloud Update XCITE Fall 2014
IBM Open Cloud Update XCITE Fall 2014IBM Open Cloud Update XCITE Fall 2014
IBM Open Cloud Update XCITE Fall 2014
 
OpenStack and Cloud Foundry - Pair the leading open source IaaS and PaaS
OpenStack and Cloud Foundry - Pair the leading open source IaaS and PaaSOpenStack and Cloud Foundry - Pair the leading open source IaaS and PaaS
OpenStack and Cloud Foundry - Pair the leading open source IaaS and PaaS
 
RESTful Security
RESTful SecurityRESTful Security
RESTful Security
 
Exploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access ManagerExploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access Manager
 
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
 
WebLogic authentication debugging
WebLogic authentication debuggingWebLogic authentication debugging
WebLogic authentication debugging
 
InfoTRAMS - Czy platforma Microsoft Azure jest biznoseow bezpieczna?
InfoTRAMS - Czy platforma Microsoft Azure jest biznoseow bezpieczna?InfoTRAMS - Czy platforma Microsoft Azure jest biznoseow bezpieczna?
InfoTRAMS - Czy platforma Microsoft Azure jest biznoseow bezpieczna?
 
2014 q3-platform-update-v1.06.johnmathon
2014 q3-platform-update-v1.06.johnmathon2014 q3-platform-update-v1.06.johnmathon
2014 q3-platform-update-v1.06.johnmathon
 
MNAssociationEnterpriseArchitectsCloudFoundryJuly2017
MNAssociationEnterpriseArchitectsCloudFoundryJuly2017MNAssociationEnterpriseArchitectsCloudFoundryJuly2017
MNAssociationEnterpriseArchitectsCloudFoundryJuly2017
 
Hybrid integration platform reference architecture
Hybrid integration platform reference architectureHybrid integration platform reference architecture
Hybrid integration platform reference architecture
 
CTU June 2011 - Windows Azure App Fabric
CTU June 2011 - Windows Azure App FabricCTU June 2011 - Windows Azure App Fabric
CTU June 2011 - Windows Azure App Fabric
 
Getting Started with Windows Workloads on Amazon EC2 - Toronto
Getting Started with Windows Workloads on Amazon EC2 - Toronto Getting Started with Windows Workloads on Amazon EC2 - Toronto
Getting Started with Windows Workloads on Amazon EC2 - Toronto
 
How AD has been re-engineered to extend to the cloud
How AD has been re-engineered to extend to the cloudHow AD has been re-engineered to extend to the cloud
How AD has been re-engineered to extend to the cloud
 
Introduction to Kong API Gateway
Introduction to Kong API GatewayIntroduction to Kong API Gateway
Introduction to Kong API Gateway
 
Cloud Native Application Development-build fast, low TCO, scalable & agile so...
Cloud Native Application Development-build fast, low TCO, scalable & agile so...Cloud Native Application Development-build fast, low TCO, scalable & agile so...
Cloud Native Application Development-build fast, low TCO, scalable & agile so...
 

Mais de DataWorks Summit

Data Science Crash Course
Data Science Crash CourseData Science Crash Course
Data Science Crash Course
DataWorks Summit
 
Floating on a RAFT: HBase Durability with Apache Ratis
Floating on a RAFT: HBase Durability with Apache RatisFloating on a RAFT: HBase Durability with Apache Ratis
Floating on a RAFT: HBase Durability with Apache Ratis
DataWorks Summit
 
Tracking Crime as It Occurs with Apache Phoenix, Apache HBase and Apache NiFi
Tracking Crime as It Occurs with Apache Phoenix, Apache HBase and Apache NiFiTracking Crime as It Occurs with Apache Phoenix, Apache HBase and Apache NiFi
Tracking Crime as It Occurs with Apache Phoenix, Apache HBase and Apache NiFi
DataWorks Summit
 
HBase Tales From the Trenches - Short stories about most common HBase operati...
HBase Tales From the Trenches - Short stories about most common HBase operati...HBase Tales From the Trenches - Short stories about most common HBase operati...
HBase Tales From the Trenches - Short stories about most common HBase operati...
DataWorks Summit
 
Practical NoSQL: Accumulo's dirlist Example
Practical NoSQL: Accumulo's dirlist ExamplePractical NoSQL: Accumulo's dirlist Example
Practical NoSQL: Accumulo's dirlist Example
DataWorks Summit
 
HBase Global Indexing to support large-scale data ingestion at Uber
HBase Global Indexing to support large-scale data ingestion at UberHBase Global Indexing to support large-scale data ingestion at Uber
HBase Global Indexing to support large-scale data ingestion at Uber
DataWorks Summit
 
Scaling Cloud-Scale Translytics Workloads with Omid and Phoenix
Scaling Cloud-Scale Translytics Workloads with Omid and PhoenixScaling Cloud-Scale Translytics Workloads with Omid and Phoenix
Scaling Cloud-Scale Translytics Workloads with Omid and Phoenix
DataWorks Summit
 
Building the High Speed Cybersecurity Data Pipeline Using Apache NiFi
Building the High Speed Cybersecurity Data Pipeline Using Apache NiFiBuilding the High Speed Cybersecurity Data Pipeline Using Apache NiFi
Building the High Speed Cybersecurity Data Pipeline Using Apache NiFi
DataWorks Summit
 
Security Framework for Multitenant Architecture
Security Framework for Multitenant ArchitectureSecurity Framework for Multitenant Architecture
Security Framework for Multitenant Architecture
DataWorks Summit
 
Presto: Optimizing Performance of SQL-on-Anything Engine
Presto: Optimizing Performance of SQL-on-Anything EnginePresto: Optimizing Performance of SQL-on-Anything Engine
Presto: Optimizing Performance of SQL-on-Anything Engine
DataWorks Summit
 
Introducing MlFlow: An Open Source Platform for the Machine Learning Lifecycl...
Introducing MlFlow: An Open Source Platform for the Machine Learning Lifecycl...Introducing MlFlow: An Open Source Platform for the Machine Learning Lifecycl...
Introducing MlFlow: An Open Source Platform for the Machine Learning Lifecycl...
DataWorks Summit
 
Extending Twitter's Data Platform to Google Cloud
Extending Twitter's Data Platform to Google CloudExtending Twitter's Data Platform to Google Cloud
Extending Twitter's Data Platform to Google Cloud
DataWorks Summit
 
Event-Driven Messaging and Actions using Apache Flink and Apache NiFi
Event-Driven Messaging and Actions using Apache Flink and Apache NiFiEvent-Driven Messaging and Actions using Apache Flink and Apache NiFi
Event-Driven Messaging and Actions using Apache Flink and Apache NiFi
DataWorks Summit
 
Securing Data in Hybrid on-premise and Cloud Environments using Apache Ranger
Securing Data in Hybrid on-premise and Cloud Environments using Apache RangerSecuring Data in Hybrid on-premise and Cloud Environments using Apache Ranger
Securing Data in Hybrid on-premise and Cloud Environments using Apache Ranger
DataWorks Summit
 
Big Data Meets NVM: Accelerating Big Data Processing with Non-Volatile Memory...
Big Data Meets NVM: Accelerating Big Data Processing with Non-Volatile Memory...Big Data Meets NVM: Accelerating Big Data Processing with Non-Volatile Memory...
Big Data Meets NVM: Accelerating Big Data Processing with Non-Volatile Memory...
DataWorks Summit
 
Computer Vision: Coming to a Store Near You
Computer Vision: Coming to a Store Near YouComputer Vision: Coming to a Store Near You
Computer Vision: Coming to a Store Near You
DataWorks Summit
 
Big Data Genomics: Clustering Billions of DNA Sequences with Apache Spark
Big Data Genomics: Clustering Billions of DNA Sequences with Apache SparkBig Data Genomics: Clustering Billions of DNA Sequences with Apache Spark
Big Data Genomics: Clustering Billions of DNA Sequences with Apache Spark
DataWorks Summit
 

Mais de DataWorks Summit (20)

Data Science Crash Course
Data Science Crash CourseData Science Crash Course
Data Science Crash Course
 
Floating on a RAFT: HBase Durability with Apache Ratis
Floating on a RAFT: HBase Durability with Apache RatisFloating on a RAFT: HBase Durability with Apache Ratis
Floating on a RAFT: HBase Durability with Apache Ratis
 
Tracking Crime as It Occurs with Apache Phoenix, Apache HBase and Apache NiFi
Tracking Crime as It Occurs with Apache Phoenix, Apache HBase and Apache NiFiTracking Crime as It Occurs with Apache Phoenix, Apache HBase and Apache NiFi
Tracking Crime as It Occurs with Apache Phoenix, Apache HBase and Apache NiFi
 
HBase Tales From the Trenches - Short stories about most common HBase operati...
HBase Tales From the Trenches - Short stories about most common HBase operati...HBase Tales From the Trenches - Short stories about most common HBase operati...
HBase Tales From the Trenches - Short stories about most common HBase operati...
 
Optimizing Geospatial Operations with Server-side Programming in HBase and Ac...
Optimizing Geospatial Operations with Server-side Programming in HBase and Ac...Optimizing Geospatial Operations with Server-side Programming in HBase and Ac...
Optimizing Geospatial Operations with Server-side Programming in HBase and Ac...
 
Managing the Dewey Decimal System
Managing the Dewey Decimal SystemManaging the Dewey Decimal System
Managing the Dewey Decimal System
 
Practical NoSQL: Accumulo's dirlist Example
Practical NoSQL: Accumulo's dirlist ExamplePractical NoSQL: Accumulo's dirlist Example
Practical NoSQL: Accumulo's dirlist Example
 
HBase Global Indexing to support large-scale data ingestion at Uber
HBase Global Indexing to support large-scale data ingestion at UberHBase Global Indexing to support large-scale data ingestion at Uber
HBase Global Indexing to support large-scale data ingestion at Uber
 
Scaling Cloud-Scale Translytics Workloads with Omid and Phoenix
Scaling Cloud-Scale Translytics Workloads with Omid and PhoenixScaling Cloud-Scale Translytics Workloads with Omid and Phoenix
Scaling Cloud-Scale Translytics Workloads with Omid and Phoenix
 
Building the High Speed Cybersecurity Data Pipeline Using Apache NiFi
Building the High Speed Cybersecurity Data Pipeline Using Apache NiFiBuilding the High Speed Cybersecurity Data Pipeline Using Apache NiFi
Building the High Speed Cybersecurity Data Pipeline Using Apache NiFi
 
Supporting Apache HBase : Troubleshooting and Supportability Improvements
Supporting Apache HBase : Troubleshooting and Supportability ImprovementsSupporting Apache HBase : Troubleshooting and Supportability Improvements
Supporting Apache HBase : Troubleshooting and Supportability Improvements
 
Security Framework for Multitenant Architecture
Security Framework for Multitenant ArchitectureSecurity Framework for Multitenant Architecture
Security Framework for Multitenant Architecture
 
Presto: Optimizing Performance of SQL-on-Anything Engine
Presto: Optimizing Performance of SQL-on-Anything EnginePresto: Optimizing Performance of SQL-on-Anything Engine
Presto: Optimizing Performance of SQL-on-Anything Engine
 
Introducing MlFlow: An Open Source Platform for the Machine Learning Lifecycl...
Introducing MlFlow: An Open Source Platform for the Machine Learning Lifecycl...Introducing MlFlow: An Open Source Platform for the Machine Learning Lifecycl...
Introducing MlFlow: An Open Source Platform for the Machine Learning Lifecycl...
 
Extending Twitter's Data Platform to Google Cloud
Extending Twitter's Data Platform to Google CloudExtending Twitter's Data Platform to Google Cloud
Extending Twitter's Data Platform to Google Cloud
 
Event-Driven Messaging and Actions using Apache Flink and Apache NiFi
Event-Driven Messaging and Actions using Apache Flink and Apache NiFiEvent-Driven Messaging and Actions using Apache Flink and Apache NiFi
Event-Driven Messaging and Actions using Apache Flink and Apache NiFi
 
Securing Data in Hybrid on-premise and Cloud Environments using Apache Ranger
Securing Data in Hybrid on-premise and Cloud Environments using Apache RangerSecuring Data in Hybrid on-premise and Cloud Environments using Apache Ranger
Securing Data in Hybrid on-premise and Cloud Environments using Apache Ranger
 
Big Data Meets NVM: Accelerating Big Data Processing with Non-Volatile Memory...
Big Data Meets NVM: Accelerating Big Data Processing with Non-Volatile Memory...Big Data Meets NVM: Accelerating Big Data Processing with Non-Volatile Memory...
Big Data Meets NVM: Accelerating Big Data Processing with Non-Volatile Memory...
 
Computer Vision: Coming to a Store Near You
Computer Vision: Coming to a Store Near YouComputer Vision: Coming to a Store Near You
Computer Vision: Coming to a Store Near You
 
Big Data Genomics: Clustering Billions of DNA Sequences with Apache Spark
Big Data Genomics: Clustering Billions of DNA Sequences with Apache SparkBig Data Genomics: Clustering Billions of DNA Sequences with Apache Spark
Big Data Genomics: Clustering Billions of DNA Sequences with Apache Spark
 

Último

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Último (20)

Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 

Apache Knox Gateway "Single Sign On" expands the reach of the Enterprise Users

  • 1. Apache Knox Gateway “Single Sign On” expands the reach of the Enterprise users Jeffrey E Rodriguez Viaña Tanping Wang June 2017
  • 2. Who Am I? • Jeffrey E Rodriguez • Senior BigData Engineer/Tech Security Leader • Work @ IBM. • Apache Hadoop/Knox contributor. • Apache Xerces committer. • https://www.linkedin.com/in/jeffrey rodriguezinnovationperu/
  • 3. Apache Knox Gateway is a proxy for interacting with Apache Hadoop clusters in a secure way providing authentication, service level authorization, and many other extensions to secure any HTTP interactions in your cluster. One feature of Apache Knox Gateway is the ability to extend the reach of your REST APIs to the internet while still securing your cluster and working with Kerberos. Recent contributions to the Apache Knox community have added support for Single Sign On (SSO) based on Pac4j 1.8.9 which is a very powerful security engine which provides SSO support through SAML2, OAuth, OpenID, and CAS. In addition, through recent community contributions Apache Ambari, Apache Atlas and Apache Ranger can now also provide SSO authentication through Knox. This presentation will discuss the architecture of Knox SSO, it will explain how enterprise user could benefit by this feature and will present enterprise use cases for Knox SSO, and integration with open source Shibboleth, ADFS Windows server Idp support, and Okta cloud Idp.
  • 4. Single Sign On (SSO) Case
  • 5. Single Sign On/Federation • Knox “SSO” is not a Kerberos or Ldap replacement but an effective way to distribute enterprise authentication resources. • You don’t longer need to proliferate authentication resources (LDAP, KDCs, etc) but you can put these resources behind Identity providers such as Shibboleth, ADFS, WSO2, Okta. • You can also do identity management through Idp services. This means user identity lifecycle, credentials and authorization can be manage in one single place.
  • 6. • The Apache Knox Gateway is a system that provides a single point of authentication and access for Apache™ Hadoop® services. It provides the following features: Single REST API Access Point. Centralized authentication, authorization and auditing for Hadoop REST/HTTP services.
  • 7. • An Identity provider is defined as "A kind of provider that creates, maintains, and manages identity information for principals and provides principal authentication to other service providers within a federation, such as with web browser profiles
  • 8. Knox Idps 1. Form-based identity Provider – Knox has a customizable form application which leverages JWT. – AKA local SSO • JWT, JSON Web Token – RFC7797. • “JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted.” • SAML – based identity Provider • This is set through the knoxsso.xml topology.
  • 9. Knox Idps infrastructure 2. SAML-based Identity Provider (IdP) • This leverages PAC4J lib to add support for SAML, CAS, Oauth, OpenId. • Also requires changes to knoxsso.xml and default.xml topologies. • At the time of this presentation there is no support for establishing groups from the SAML assertion and the participating applications must use a group lookup to establish group membership based on username.
  • 10. Single Sign On Providers • Case allows a web application builder like our demo KnoxExplorer (on a different domain www.local.com), reach out Hadoop HDFS cluster data in a secure way and process/transform/analyze such data. • There are many commercial identity providers as a service available but enterprises have many choices: • Host their own SAML, Oauth, etc identity provider using IBM TFIM (IBM Tivoli Federation Identity Manager) or Microsoft Active Directory Federated Services (ADFS). • Use a comercial web service as Okta cloud Idp. • User IBM Bluemix clous SSO as a Service APIs. • There are Ambari Single Sign On services such as https://www.onelogin.com/connector/ambari-single-sign-on
  • 11. Knox starting in Knox 0.8.0 has SSO support ( CAS/OAuth/OpenID/SAML) using pac4j pac4j is a Java security engine to authenticate users, get their profiles and manage their authorizations in order to secure Java web applications. It supports many authentication mechanisms for UI and web services and is implemented by many frameworks and tools. For Knox, it is used as a federation provider to support the OAuth, CAS, SAML and OpenID Connect protocols. It must be used for SSO, in association with the KnoxSSO service and optionally with the SSOCookieProvider for access to REST APIs.
  • 12. Knox SSO Providers/Services • KnoxSSO Default Form-based IDP - The default configuration of KnoxSSO provides a form-based authentication mechanism that leverages the Shiro authentication to authenticate against LDAP/AD with credentials collected from a form- based challenge. • Pac4J - The pac4j provider adds numerous authentication and federation capabilities including: SAML, CAS, OpenID Connect, Google,Twitter, etc. • HeaderPreAuth - A simple mechanism for propagating the identity through HTTP Headers that specify the username and group for the authenticated user. This has been built with vendor usecases such as SiteMinder and IBM Tivoli Access Manager.
  • 13. Knox SSO Providers/Services • KnoxSSO - The KnoxSSO service is an integration service that provides a normalized SSO token for representing the authenticated user. This token is generally used for WebSSO capabilities for participating UIs and their consumption of the Apache Hadoop REST APIs. KnoxSSO abstracts the actual identity provider integration away from participating applications so that they only need to be aware of the KnoxSSO cookie. The token is presented by the browser as a cookie and applications that are participating in the KnoxSSO integration are able to cryptographically validate the presented token and remain agnostic to the underlying SSO integration.
  • 14. SAML ( Almost other known SSO solution follows similar pattern) • Security Assertion Markup Language (XML based).
  • 16. SSO SAML Idp Services • ADFS – Active Directory Federation Services. • Shibboleth – Enterprise and Cloud Idp. • Bluemix Single Sign On for Bluemix and Bluemix Identity bridge. • IBM Tivoli Federated Identity Manager • Bitium • Microsoft Azure Active Directory • Centrify • RSA SecurID • OneLogin
  • 17. SSO SAML Idp Services… • Gigya • SalesForce App Cloud Identity • ManageEngine ADManager Plus • NetIQ Access Manager • CA Identity Manager • Oracle Identity Management • AWS Identity and Access Management (IAM) • Foxpass
  • 18. SSO SAML Idp Services… • NetIQ Indentity Manager • WSO2 Identity Manager • PingOne • Covisint Cloud Identity • CloudSOC • SecureAuth IdP
  • 19. ADFS SSO solution for Windows • You can configure FS services in AD (ActiveDirectory) so ADFS can serve as and Idp server and support SAML.
  • 20. Shibboleth IdP 3.x Service • Shibboleth is a standards based, open source software package for web single sign-on across or within organizational boundaries. • Open source project providing Idp through SAML • Supports SAM 2.0 • You can configure Shibboleth with FreeIPA. • Shibboleth IOP V3 • Either build it from source or try it using docker image: “docker run - it -v $(pwd):/ext-mount --rm unicon/shibboleth-idp init-idp.sh”
  • 21. Conclusion • Knox provides a secure SSL access to Hadoop REST APIs and UI’s. • The support of SSO by Knox allows to manage Authentication in a more efficient and manageable way by leveraging Identity Provider services through SAML. • You can either use a commercial SaaS Identity providers like Okta or roll your own using your existing Enterprise middleware like ADFS or even using Shibboleth Idp as an open source alternative. • We will add a Shibboleth Idp Knox SSO demo and provide future blogs on this integration through the Knox community. • Knox Supports SSO for Ambari, Apache Ranger, and Apache Atlas.
  • 22. Q&A