失眠网 > 大数据平台的防火墙服务网关Knox

大数据平台的防火墙服务网关Knox

时间：2019-05-08 00:14:42

相关推荐

大数据平台的防火墙服务网关Knox

这里写自定义目录标题

大数据平台的防火墙、服务网关Knox边界安全/防火墙Knox网关部署架构Ranger授权和控制使用Knox进行认证Common Security Architecture Using Apache Knox for Data Access

大数据平台的防火墙、服务网关Knox

边界安全/防火墙

利用Knox对大数据平台建立了2级防护墙。

the first firewall forces all internet communication to talk only to the knox gateway. Communication that passes security challenges at the gateway (IP, ports, Kerberos/LDAP authentication, other) are routed to the cluster.

The second firewall further isolates the cluster by forcing the cluster to only accept communication from the gateway, which is a known host on the internal network.

Knox网关部署架构

Ranger授权和控制

使用Knox进行认证

Trusted proxy

Knox Trusted Proxy is useful in cloud deployments when you need the seamless and uniform authentication benefits of both proxy and SSO. Trusted Proxy is automatically configured by Cloudera Manager in CDP deployments.

Knox Trusted Proxy propagates the authenticated end user to the backend service. The request is “trusted” in that the given backend/service is able to validate that the request came from a certain place and was allowed to make the request. A backend in this case is any service that Knox is acting as a proxy for (e.g., Cloudera Manager, Hive JDBC, Ranger UI, etc). Each of these services have a mechanism to ensure that the 1) request IP address and 2) request user matches what it expects. If the request matches those two things, then the service will not have to authenticate again and can trust that Knox sent the request.

When making requests to the cluster, Knox first authenticates the end user, and then adds that user as a query parameter to the request (?doAs=USERNAME) to the backend. The backend then checks that the request is trusted (request IP and request user) and extracts the end user (USERNAME) from the query parameter. The backend service then does whatever is necessary as that backend user. Knox and the proxied services authenticate to each other via Kerberos.