API server relays Kerberos authentication by SPNEGO

Asked Sep 06 '18 at 02:21

Active Sep 06 '18 at 02:21

Viewed 78 times

I want Kerberos authentication with SPNEGO from Chrome on Windows PC to Hadoop(kerberized).

In the case of requesting Hadoop directly from a windows PC as below, I think that authentication will pass normally.

|Windows PC(Chrome)| -- SPNEGO --> |Hadoop(HDFS..etc)|

However, in the actual system configuration, there is a REST API in the meantime and it is necessary to relay requests to Hadoop.

|Windows PC(Chrome)| -- SPNEGO --> |REST API Server| --> SPNEGO --> |Hadoop(HDFS..etc)|

Is this possible?

If so, what kind of implementation is required on the REST API side in order to pass the Windows PC credentials intact to Hadoop?

asked Sep 06 '18 at 02:21

t_uma66

"Double hop" is usually forbidden for security reasons : if an attacker takes control of your API server then it can impersonate any connected user on any server/service anywhere. Duh. – Samson Scharfrichter Sep 06 '18 at 07:46
Microsoft has "constrained delegation" to mitigate the risks, hence with a .NET service and lots of patience you may get a security clearance... – Samson Scharfrichter Sep 06 '18 at 07:48
Hi. I just knew that "constrained delegation" is necessary in this configuration. Thanks! – t_uma66 Sep 07 '18 at 07:18

0 Answers0