Open marcjimz opened 4 years ago
jahstreet
commented
4 years ago Hi @marcjimz , thx for sharing more details. I see that it can be solved in 2 ways depending on your needs:
Please let me know if the complete example with a step-by-step instructions required.
marcjimz
commented
4 years ago Hi - neither of those would work since a pod that runs inside the cluster can still access the headless service.
I think I will commit the basic auth class to the project and let that read from the configs. I suspect the LDAP auth class is the similar interface it is expecting which I should be able to replicate. Will see if I can get that to work and commit back here.
jahstreet
commented
4 years ago a pod that runs inside the cluster can still access the headless service.
Right, good point. Nice to see people contributing this area, would be nice to follow-up on your progress.
jahstreet
commented
4 years ago Hi @marcjimz , have you had a chance to implement the solution proposed above? Can you share the link to the patch sources?
Would like to enable basic authorization that was configurable at run time. When deploying this a multi-tenant model (ie. each tenant has their own Livy orchestration), we need to secure the authentications made otherwise the Livy API is open to the entire cluster.
One way for doing this is LDAP but wonder if there is a supportable way to incorporate either JWT token or Basic Auth.
Example:
import json, pprint, requests, textwrap host = 'http://localhost:8998' data = {'kind': 'spark'} headers = {'Content-Type': 'application/json'} r = requests.post(host + '/sessions', data=json.dumps(data), headers=headers) r.json()
{u'state': u'starting', u'id': 0, u'kind': u'spark'}
We could add Authorization to the headers and have this embedded with basic auth.