KnoxSSO integration

[mapto]

I'm working on a SSO integration with Apache Knox. I'm writing this issue to ask for validation and advice on my approach, so that it is hopefully useful in a more general context.

Knox provides a combined service of HTTPS gateway/proxy and SSO. Because of this, I'm considering a simplified authentication mechanism which assumes that Knox controls all the requests allowing only authorised ones and for Superset it remains only to identify the user and perform an automatic login. I'm using authentication, based on LDAP where both Knox and Superset have access to the LDAP users directory.

I have currently identified three possible ways of doing the above identification:

• from a GET request parameter user.name that Knox sends to to managed applications
• from the Basic authentication header set by Knox
• from a hadoop-jwt` cookie set by Knox.

I currently don't see why in the current context I should bother to unpack the JWT, given that I can get the user name unencrypted. Admittedly, I need to make sure that the Superset logged-in session does not outlive the Knox logged-in session, but at this point this seems manageable to me. Can anyone think of an issue I might be missing and thus my reasoning is invalid?

PS: Not really relevant, but here's a link to the Knox issue on gateway integration with Superset. Here's a link to the source code of the work-in-progress integration.

[mapto]

I'm facing problems with redirects and I'm not sure what exactly am I doing wrong:

1. When I authenticate the user programatically using information from the request (same for all three of the original approaches I tried) and calling flask_login.login_user, the next call somehow looses its session cookie. This might be a consequence to the following issue.

2. Leaving authentication aside, when reverse-proxy pages that do not require authentication, these pages end up in a self-redirect loop, possibly similar to this issue. I haven't tried engineering X-Forwarded-* request headers yet, but this seems the way to go.

[mistercrunch]

Have you tried setting the conf flag ENABLE_PROXY_FIX = True ?

For context, here's what it does:
https://github.com/apache/incubator-superset/blob/3ae02d1a542ed66522f6a0a51433490e7da9ea30/superset/__init__.py#L162

http://werkzeug.pocoo.org/docs/0.14/contrib/fixers/#werkzeug.contrib.fixers.ProxyFix

[mistercrunch]

Seems this seems to come up quite a bit, I was wondering to myself "should we make this the default"?

It appears the answer is no :(. From the docs: "Do not use this middleware in non-proxy setups for security reasons."

[mapto]

Thanks for the tip. It seems to have solved this problem, or at least I can see the headers and I'm facing another one with Knox keystores now.

Since this is about XFF-related headers, it makes sense that this is used only when forwarding is needed (e.g. when proxying, like my case with Knox). I was tempted to say that "fix" in the name is misleading, as this is a valid and seemingly long-standing configuration option, but than I saw that in werkzeug it is under contrib.fixers, so probably that would be a better place for such a discussion.

[mapto]

I have an early (dirty and partial) version of this working now. To be verified how/if it suits our needs and most probably changes will follow. It is available at https://github.com/mapto/knox_superset_testing if of interest to the community.

My current implementation reads the hadoop-jwt cookie and performs user identification at every request. The advantage of this is that it avoids synchronising session TTL between Knox and Superset. The disadvantage might be performance, but at this point this doesn't appear to be critical.

As can be seen from the code, this now works with code injection, and can be improved, subject to suggestions in #3997.

The integration currently exposes only the welcome and sqllab sections.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. For admin, please label this issue .pinned to prevent stale bot from closing the issue.