[keycloak-user] Protecting Hadoop UIs with Keycloak?

Kevin Minder kevin.minder at hortonworks.com
Tue Dec 16 23:45:37 EST 2014 

Hi Keycloak,

I'm interested in putting together a quick POC of Keycloak as the SSO 
server for several Hadoop UIs.  Most Hadoop UIs use an embedded Jetty 
server and they provide a Hadoop specific authentication plugin mechanism.
See: 
https://github.com/apache/hadoop/blob/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationHandler.java

I was hoping to find in docs or in an example on the web a non-container 
managed servlet filter integration that I could rework into a Hadoop 
AuthenticationHandler.

Anyway, would I be on the right track if I...

1) Wrap the adapters below in Hadoop AuthenticationHandlers having 
AuthenticationHandler.authenticate call *Authenticator.authenticate
keycloak/integration/adapter-core/src/main/java/org/keycloak/adapters/BasicAuthRequestAuthenticator.java
keycloak/integration/adapter-core/src/main/java/org/keycloak/adapters/BearerTokenRequestAuthenticator.java

2) In those, wrap the request/response in this
keycloak/integration/jetty/jetty-core/src/main/java/org/keycloak/adapters/jetty/JettyHttpFacade.java

3) Create the KeycloakDeployment via the builder with these with a 
keystone.js input stream from somewhere
keycloak/integration/adapter-core/src/main/java/org/keycloak/adapters/KeycloakDeployment.java
keycloak/integration/adapter-core/src/main/java/org/keycloak/adapters/KeycloakDeploymentBuilder.java

What totally obvious things am I missing?

Is it possible to have a container agnostic integration like this?

For one I'm not seeing how the KeycloakSecurityContext attribute that 
JettyHttpFacade expects is setup in the Jetty adapter.

Kevin.

-- 
CONFIDENTIALITY NOTICE
NOTICE: This message is intended for the use of the individual or entity to 
which it is addressed and may contain information that is confidential, 
privileged and exempt from disclosure under applicable law. If the reader 
of this message is not the intended recipient, you are hereby notified that 
any printing, copying, dissemination, distribution, disclosure or 
forwarding of this communication is strictly prohibited. If you have 
received this communication in error, please contact the sender immediately 
and delete it from your system. Thank You.

More information about the keycloak-user mailing list