This Confluence has been LDAP enabled, if you are an ASF Committer, please use your LDAP Credentials to login. Any problems file an INFRA jira ticket please.

Child pages
  • REST SSO Flows

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3
PlantUML Macro
border1
titleREST SSO Flow (SAML)
hide footbox
autonumber

participant "Client\n(eg JEE App)" as cli
participant "SAML IdP\n(eg Shibboleth)" as idp
participant "Knox\nGW" as gw #lime
participant "Hadoop\n(eg NN)" as svc #lime
 
activate cli
group Non-normative example of how a saml-bearer-token might be obtained
|||
cli -> idp: /authenticate.POST(username,password)
 activate idp 
 cli <-- idp: ok200(saml-bearer-token)
 deactivate idp
|||
end
...
cli -> gw: /cluster/service.GET(saml-bearer-token)
  activate gw
  gw -> gw: validate(saml-bearer-token):username
  gw -> svc: /service.GET(username)
  activate svc
  gw <-- svc: ok200(results)
  deactivate svc
  cli <-- gw: ok200(results)
  deactivate gw

deactivate cli

 

 

PlantUML Macro
border1
titleREST SSO Flow (SAML)
hide footbox
autonumber

participant "Client\n(eg JEE App)" as cli
participant "SSO\n(eg Shibboleth)" as sso
participant "Knox\nGW" as gw #lime
participant "LDAP" as idp
participant "Hadoop\n(eg NN)" as svc #lime
 
activate cli

cli -> sso: /authenticate.POST(username,password)
  activate sso 
  cli <-- sso: saml-bearer-token[username]
  deactivate sso
 
cli -> gw: /cluster/service.GET(jwt-bearer-token)
  activate gw
  gw -> idp: lookupGroups(username):groups
  gw -> svc: /service.GET(username)
  activate svc
  gw <-- svc: ok200(results)
  deactivate svc
  cli <-- gw: ok200(results)
  deactivate gw

deactivate cli

 

 

PlantUML Macro
border1
titleREST SSO Flow (LDAP)
hide footbox
autonumber

participant "Client\n(eg JEE App)" as cli
participant "Knox\nTS/SSO" as sso
participant "LDAP" as idp
participant "Knox\nGW" as gw
participant "Hadoop\n(eg NN)" as svc
 
activate cli

cli -> sso: /authenticate.POST(username,password)
  activate sso 
  sso -> idp: authenticate(username,password)
  sso -> idp: lookupGroups():groups
  cli <-- sso: jwt-bearer-token[username,groups]
  deactivate sso
 
cli -> gw: /cluster/service.GET(jwt-bearer-token)
  activate gw
  gw -> svc: /service.GET(username)
  gw <-- svc: results
  cli <-- gw: results
  deactivate gw
deactivate cli