Overview of trusted authentication process

Cloudera Data Visualization (CDV) supports embedding CDV apps within client pages through an HTML iframe component. You have two options: one for open access and another with trusted authentication for enhanced security.

In trusted authentication, the CDV Server authenticates the <iframe> request made by the client and then returns the CDV visualization. To achieve this authentication, CDV uses the trusted authentication protocol, which involves the following steps:
  1. User Browser requests an App page.

    The user requests a web page from the parent web server, which includes an embedded CDV visual within an <iframe> element.

  2. App Server requests a ticket from CDV Server.

    The parent App Server makes a POST ticket request to the CDV Server, including the CDV username for authenticating the <iframe>.

    The ticket request can be authenticated through one of two methods:
    • Ticket-granting user: The ticket request includes the CDV username and password of the trusted ticket granter. This account does not normally have admin or superuser privileges. For more information, see Post ticket request using a ticket-granting user.

    • Trusted IP: The parent App Server is listed among trusted IPs. The POST request includes only the CDV username to obtain the ticket-granting user's full credentials. For more information, see Post ticket request using an IP.

    By default, the ticket may only be used once. However, it can be configured for multiple uses for debugging purposes. The ticket is valid for a configurable time period before expiring.

  3. CDV Server authenticates the request and returns a unique ticket.
    • If the request is valid, CDV Server creates a ticket and returns it as a response to the POST request.

    • If the request is invalid, it returns the value of -1 as a response to the POST request.

  4. App Server returns an HTML page that contains an iframe tag with CDV URL and the ticket.

    The parent App Server uses the ticket to generate a unique URL containing the ticket for the embedded visual. This URL is used for the visual's <iframe> element in the HTML returned to the client. For more information, see Request Visual from CDV Server.

  5. User Browser requests the iframe from CDV Server, including the ticket.

    The client browser uses the iframe URL obtained in the previous step to request the App from the CDV Server.

  6. CDV Server authenticates User Browser based on the ticket and returns the visualization for the iframe.

    The CDV Server authenticates the <iframe> request based on the ticket that is part of the request URL. If the ticket is valid, it automatically logs in the username specified in the original POST request and then sends the visual to the client.

After the user is logged in using the ticket, they can request any other URL until that session expires. The login session expires at the end of the browser session.