directory-kerby mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Li, Jiajia" <jiajia...@intel.com>
Subject RE: [DISCUSS] Merge HAS to Apache Kerby
Date Mon, 27 Nov 2017 01:57:31 GMT
Thanks Emmanuel.

> Is there some information on HAS, before it was added in a branch ?
> Typically, where does it come from (ie, the history), specs, documentation, etc ?

HAS is a private repo under https://github.com/Intel-bigdata, and I've moved all the specs
and docs to  https://github.com/apache/directory-kerby/tree/has-project/has/doc 


> We would really need ICLA for each of those contributors who haven't already sent one,
and most certain a CCLA from Intel and Alibaba.

Yes, all the contributors can provide the ICLA,  I thinks Kai, Lin and me already sent one.


> Otherwise, assuming we check teh code base is 'safe ' (ie no problem with any of its
dependency, and clean copyright), I would say I won't oppose to such a move.

We will take some time to check the license and copyright ASAP.


Thanks,
Jiajia



-----Original Message-----
From: Emmanuel Lécharny [mailto:elecharny@gmail.com] 
Sent: Saturday, November 25, 2017 9:14 PM
To: kerby@directory.apache.org
Subject: Re: [DISCUSS] Merge HAS to Apache Kerby

Hi Jiajia,


Le 24/11/2017 à 04:30, Li, Jiajia a écrit :
> Hi all,
>
> I would like to post a proposal about merging a new project HAS (Hadoop Authentication
Service) to Apache Kerby. HAS is led by Intel and Alibaba, it is a solution to support the
authentication of open source big data ecosystem in cloud computing platforms. I've created
a new branch "has-project" in Kerby, HAS is under "has" folder. Please look at https://github.com/apache/directory-kerby/tree/has-project/has
for details.

Is there some information on HAS, before it was added in a branch ?
Typically, where does it come from (ie, the history), specs, documentation, etc ?
>
> Background and motivation:
> At present, the open source big data ecosystems (Hadoop/Spark) only has the built-in
Kerberos support on the security authentication. HAS aims to build a standalone authentication
service for the big data ecosystem that simplifies the support of Kerberos and allows to use
more authentication methods.
>
> Targets users:
> HAS supports various authentication mechanisms other than just Kerberos, and it provides
a new authentication mechanism can be easy customized and plugin with existing user authentication
and authorization system, and security admins won't have to migrate and sync up their user
accounts to Kerberos back and forth.
>
> Architecture & Design:
> HAS provides a new authentication mechanism ("Kerberos-based token authentication"),
depending on the "TokenPreauth" provided by Apache Kerby. Please look at https://github.com/apache/directory-kerby/blob/has-project/has/README.md
for details.
>
> Features:
> 1.      Provides new authentication mechanism plugin APIs to customize and plugin with
existing user authentication and authorization system. Please look at https://github.com/apache/directory-kerby/blob/has-project/has/README.md
for details.
> 2.      Provides lots of REST APIs and facility tools to simplify the support of Kerberos.
Kerberos is essentially a protocol, or secure channel, doesn't have to be that complex to
users. Please look at https://github.com/apache/directory-kerby/blob/has-project/has/doc/rest-api.md
for details.
> 3.      Provides MySQL backend for High Availability. Please look at https://github.com/apache/directory-kerby/blob/has-project/has/doc/mysql-backend.md
for details.
> 4.      New authentication mechanism now supports most of the components of open source
big data ecosystem with little or no changes to components, including HDFS, HBase, Zookeeper,
Hive, Spark.... Please look at https://github.com/apache/directory-kerby/tree/has-project/has/supports
for details.
>
> Practice
> This solution has been deployed in Alibaba Cloud E-MapReduce production.
>
> Why to merge?
> HAS provides a complete Hadoop/Spark authentication framework and solution based on Kerberos,
HAS can help to upgrade Kerby KDC, make it more solid and stronger. And if HAS can be merged
to Apache Kerby, community will help HAS grow faster and users can more easily using this
solution in their own production. We have two suggestions about how to merge:
> - Option1:
> Create a standalone module "kerby-has", putting HAS project under this module.
> - Option2:
> Suggest replacing kerby-kdc module with HAS, upgrade the Kerby KDC.
>
> Contributors:
> Jiajia, Li (Intel)
> Lin, Zeng (Intel)
> Zhiqiang, Zhang (Intel)
> Kai, Zheng (Intel)
> Wei, Wu (Alibaba)
> Jun, Song (Alibaba)
> Long, Cao (Alibaba)
> Zhenyuan, Wei (Alibaba)

We would really need ICLA for each of those controbutors who haven't already sent one, and
most certain a CCLA from Intel and Alibaba.

Otherwise, assuming we check teh code base is 'safe ' (ie no problem with any of its dependency,
and clean copyright), I would say I won't oppose to such a move.

Keep in mind that the real key here is the maintenance of this piece of code in the long run,
too...

Thanks !

--
Emmanuel Lecharny

Symas.com
directory.apache.org

Mime
View raw message