[keycloak-user] Protecting Hadoop UIs with Keycloak?

Bill Burke bburke at redhat.com
Wed Dec 17 07:56:41 EST 2014

Really depends how the Hadoop UI works.  Is it a Javascript app making 
REST calls to the server only?  Then you would use keycloak.js, 
BearerTokenRequestAuthenticator.  Or does the server render the UI?  If 
so, then you should implement a version of RequestAuthenticator (both 
bearer and redirect) and hook it in via your AuthanticationHandler.

If you get something working, we'd be happy to include it in keycloak 
and maintain it.

On 12/16/2014 11:45 PM, Kevin Minder wrote:
> Hi Keycloak,
> I'm interested in putting together a quick POC of Keycloak as the SSO
> server for several Hadoop UIs.  Most Hadoop UIs use an embedded Jetty
> server and they provide a Hadoop specific authentication plugin mechanism.
> See:
> https://github.com/apache/hadoop/blob/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationHandler.java
> I was hoping to find in docs or in an example on the web a non-container
> managed servlet filter integration that I could rework into a Hadoop
> AuthenticationHandler.
> Anyway, would I be on the right track if I...
> 1) Wrap the adapters below in Hadoop AuthenticationHandlers having
> AuthenticationHandler.authenticate call *Authenticator.authenticate
> keycloak/integration/adapter-core/src/main/java/org/keycloak/adapters/BasicAuthRequestAuthenticator.java
> keycloak/integration/adapter-core/src/main/java/org/keycloak/adapters/BearerTokenRequestAuthenticator.java
> 2) In those, wrap the request/response in this
> keycloak/integration/jetty/jetty-core/src/main/java/org/keycloak/adapters/jetty/JettyHttpFacade.java
> 3) Create the KeycloakDeployment via the builder with these with a
> keystone.js input stream from somewhere
> keycloak/integration/adapter-core/src/main/java/org/keycloak/adapters/KeycloakDeployment.java
> keycloak/integration/adapter-core/src/main/java/org/keycloak/adapters/KeycloakDeploymentBuilder.java
> What totally obvious things am I missing?
> Is it possible to have a container agnostic integration like this?
> For one I'm not seeing how the KeycloakSecurityContext attribute that
> JettyHttpFacade expects is setup in the Jetty adapter.
> Kevin.

Bill Burke
JBoss, a division of Red Hat

More information about the keycloak-user mailing list