Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Authorization on REST API Header #30

Open
marcjimz opened this issue May 12, 2020 · 4 comments
Open

Authorization on REST API Header #30

marcjimz opened this issue May 12, 2020 · 4 comments

Comments

@marcjimz
Copy link

marcjimz commented May 12, 2020

Would like to enable basic authorization that was configurable at run time. When deploying this a multi-tenant model (ie. each tenant has their own Livy orchestration), we need to secure the authentications made otherwise the Livy API is open to the entire cluster.

One way for doing this is LDAP but wonder if there is a supportable way to incorporate either JWT token or Basic Auth.

Example:

import json, pprint, requests, textwrap
host = 'http://localhost:8998'
data = {'kind': 'spark'}
headers = {'Content-Type': 'application/json'}
r = requests.post(host + '/sessions', data=json.dumps(data), headers=headers)
r.json()

{u'state': u'starting', u'id': 0, u'kind': u'spark'}

We could add Authorization to the headers and have this embedded with basic auth.

@jahstreet
Copy link
Collaborator

Hi @marcjimz , thx for sharing more details. I see that it can be solved in 2 ways depending on your needs:

Please let me know if the complete example with a step-by-step instructions required.

@marcjimz
Copy link
Author

Hi - neither of those would work since a pod that runs inside the cluster can still access the headless service.

I think I will commit the basic auth class to the project and let that read from the configs. I suspect the LDAP auth class is the similar interface it is expecting which I should be able to replicate. Will see if I can get that to work and commit back here.

@jahstreet
Copy link
Collaborator

a pod that runs inside the cluster can still access the headless service.

Right, good point. Nice to see people contributing this area, would be nice to follow-up on your progress.

@jahstreet
Copy link
Collaborator

Hi @marcjimz , have you had a chance to implement the solution proposed above? Can you share the link to the patch sources?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants