Would like to run Hue in K8s in corporate environment, with user Kerberos authentication and Hue forwarding the ticket to data stores. Ideally constrained but will consider unconstrained as well. Is it supported by Hue? E,g, for MySQL connectivity with SQLAlchemy or JDBC?
If SQLAlchemy support natively this would be something relatively simple to add.
Hue supports kerberos with/without User impersonation when talking to Hadoop services like HDFS, Hive etc. Also Spengo as login.
Yes, I’ve seen you do kerberos delegation (not sure constrained or not) - basically a synonym for impersonation - for WebHDFS. Was hoping to do a similar thing - preferably constrained, i.e. Hue forwarding service-specific ticket to DB, not TGT.
So far cannot find any mentioning of Kerberos or delegation on SQLAlchemy site. Posting question on their forum. What about JDBC driver though? Would it work, or how difficult to make Hue hand over ticket to JDBC driver that supports it?
Does Hue use python-gssapi ? This lib supports constrained delegation, afaik
Here’s my discussion with Mike Bayer from SQLAlchemy: https://groups.google.com/d/msgid/sqlalchemy/22410183-b6dd-4da6-88de-36316d0d0d22%40www.fastmail.com?utm_medium=email&utm_source=footer
He says, need to look if/how Kerberos is supported by concrete MySQL drivers used by Alchemy, thinks, MySQL-connector-python (mysql+mysqldb://) might be the only one supporting Kerberos