Chaining authenticators

[Tim Harsch]

Hi all,

I contributed some features to jwtauthenticator recently to pass tokens via query parameter, and have been using that in the case where I have a JWT token and wanted to use that to authenticate to the hub.   But now I'm considering how I can get the authenticated user to be impersonated to launch spark jobs from the notebook.  Still investigating that...   I found this slide deck https://www.slideshare.net/SparkSummit/secured-kerberosbased-spark-notebook-for-data-science-spark-summit-east-talk-by-joy-chakraborty and the video, but I haven't yet found a reference implementation for the architecture he describes.  Not sure it fits the bill in any case.

I'm thinking my case might be simpler: I have a authenticated user via the JWT Token, but  I now want to assert that user via kerberos ticket next...  and then pass that ticket along when he/she submits jobs from the notebook.  So, it seems to me I want to chain authenticators in a logical-and fashion. 

In addition I'm wondering how to chain together authenticators so the user if not found in one, the next authenticator would be checked?  Which is probably the more typical use case.

Thank you for your insights,

Tim