directory-kerby mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: [DISCUSS] Merge HAS to Apache Kerby
Date Mon, 27 Nov 2017 10:25:26 GMT
On Mon, Nov 27, 2017 at 6:19 AM, Li, Jiajia <jiajia.li@intel.com> wrote:

>
>
> We will fix these dependencies soon. One question: I found Apache Hadoop
> also using the Jersey, could we using it through adding the license file?
>

I think Jersey is OK as it is CDDL:

https://www.apache.org/legal/resolved.html

"Software under the following licenses may be included in binary form
within an Apache product if the inclusion is appropriately labeled (see
below):

   - Common Development and Distribution Licenses: CDDL 1.0
   <https://opensource.org/licenses/CDDL-1.0> and CDDL 1.1
   <https://spdx.org/licenses/CDDL-1.1.html>"

Colm.


>
>
> > Plugins, especially "RAM":
> > * What does "RAM" mean?
> > * The RAM plugin is not included but tests and default config seem to
> require it. Classes org.apache.hadoop.has.plugins.client.aliyun.AliyunHasClientPlugin
> and org.apache.hadoop.has.plugins.server.aliyun.AliyunHasServerPlugin are
> not available. Will those also be contributed?
> > * There is no other (default) implementation of HasClientPlugin. Is the
> project still already usable? Or is it only a framework and more
> development effort is requried to implement the plugins?
>
> "RAM" is an example plugin type, It's the name of existing user
> authentication system. I think it's universal enough, so I removed all the
> code associated with this plugin. This project is a framework, users should
> implement their own plugins(including client and server).  But we will
> provide the default implementation of HasClientPlugin in the future work.
> Do you have any suggestions for default plugin? LDAP or others?
>
>
> > Hadoop or Kerby/Directory:
> > * The project name includes Hadoop, the Maven groupId is
> org.apache.hadoop, Java package names are org.apache.hadoop.has. Was it
> planned to contribute this to Hadoop? Or does it make more sense to
> contribute it to Hadoop directly?
>
> No, we won't contribute it to Hadoop. We will change the Maven groupId to
> "org.apache.kerby".
>
>
> > * On the other hand it seems to be also useful otherwise, like to
> configure Kerby KDC via REST and to be able to plugin other authentication
> providers, am I right? Then it totally makes sense to include it into
> Kerby. But in that case I'd suggest to change the names.
>
> Yes, you are right, HAS provides lots of REST APIs to config Kerby KDC,
> and the new authentication mechanism is able to plugin the existing user
> authentication system. I thinks it's ok to change the name of "HAS" if we
> merge it to replace kerby-kdc module to upgrade the Kerby KDC, and do you
> have a suggest name?
> On the other hand, "HAS" also provides the supports for Hadoop ecosystem,
> it's a complete framework for Hadoop Ecosystem, so  I think "HAS" is a good
> choice if we want to create a standalone module for it. Please correct me
> if I am wrong.
>
> Thanks,
> Jiajia
>
> -----Original Message-----
> From: Stefan Seelmann [mailto:mail@stefan-seelmann.de]
> Sent: Sunday, November 26, 2017 12:22 AM
> To: Apache Directory Developers List <dev@directory.apache.org>;
> kerby@directory.apache.org
> Subject: Re: [DISCUSS] Merge HAS to Apache Kerby
>
> I browsed the code and documentation, here some notes and questions:
>
> Was the HAS developed as open source project in public? In readme I see
> some links to github.com/intel-bigdata/has but that only gives 404.
>
> Are all the contributors already ASF committers or have an ICLA on file?
> Otherwise I'm afraid IP clearance is required.
>
> Dependencies:
> * MySQL JDBC driver is GPLv2 which is not compatible with Apache.
> (alternative: Drizzle JDBC)
> * Some dependencies (Jersey, Glassfish) are CDDL licensed which is not
> compatible with Apache. (alternatives: CXF, Geronimo)
> * For some dependencies I cannot find a license:
> com.aliyun:aliyun-java-sdk-core and com.aliyun:aliyun-java-sdk-ram
>
> Plugins, especially "RAM":
> * What does "RAM" mean?
> * The RAM plugin is not included but tests and default config seem to
> require it. Classes org.apache.hadoop.has.plugins.client.aliyun.AliyunHasClientPlugin
> and org.apache.hadoop.has.plugins.server.aliyun.AliyunHasServerPlugin are
> not available. Will those also be contributed?
> * There is no other (default) implementation of HasClientPlugin. Is the
> project still already usable? Or is it only a framework and more
> development effort is requried to implement the plugins?
>
> Hadoop or Kerby/Directory:
> * The project name includes Hadoop, the Maven groupId is
> org.apache.hadoop, Java package names are org.apache.hadoop.has. Was it
> planned to contribute this to Hadoop? Or does it make more sense to
> contribute it to Hadoop directly?
> * On the other hand it seems to be also useful otherwise, like to
> configure Kerby KDC via REST and to be able to plugin other authentication
> providers, am I right? Then it totally makes sense to include it into
> Kerby. But in that case I'd suggest to change the names.
>
> Kind Regards,
> Stefan
>
>
>
> On 11/24/2017 04:30 AM, Li, Jiajia wrote:
> > Hi all,
> >
> > I would like to post a proposal about merging a new project HAS (Hadoop
> Authentication Service) to Apache Kerby. HAS is led by Intel and Alibaba,
> it is a solution to support the authentication of open source big data
> ecosystem in cloud computing platforms. I've created a new branch
> "has-project" in Kerby, HAS is under "has" folder. Please look at
> https://github.com/apache/directory-kerby/tree/has-project/has for
> details.
> >
> > Background and motivation:
> > At present, the open source big data ecosystems (Hadoop/Spark) only has
> the built-in Kerberos support on the security authentication. HAS aims to
> build a standalone authentication service for the big data ecosystem that
> simplifies the support of Kerberos and allows to use more authentication
> methods.
> >
> > Targets users:
> > HAS supports various authentication mechanisms other than just Kerberos,
> and it provides a new authentication mechanism can be easy customized and
> plugin with existing user authentication and authorization system, and
> security admins won't have to migrate and sync up their user accounts to
> Kerberos back and forth.
> >
> > Architecture & Design:
> > HAS provides a new authentication mechanism ("Kerberos-based token
> authentication"), depending on the "TokenPreauth" provided by Apache Kerby.
> Please look at https://github.com/apache/directory-kerby/blob/has-
> project/has/README.md for details.
> >
> > Features:
> > 1.      Provides new authentication mechanism plugin APIs to customize
> and plugin with existing user authentication and authorization system.
> Please look at https://github.com/apache/directory-kerby/blob/has-
> project/has/README.md for details.
> > 2.      Provides lots of REST APIs and facility tools to simplify the
> support of Kerberos. Kerberos is essentially a protocol, or secure channel,
> doesn't have to be that complex to users. Please look at
> https://github.com/apache/directory-kerby/blob/has-
> project/has/doc/rest-api.md for details.
> > 3.      Provides MySQL backend for High Availability. Please look at
> https://github.com/apache/directory-kerby/blob/has-
> project/has/doc/mysql-backend.md for details.
> > 4.      New authentication mechanism now supports most of the components
> of open source big data ecosystem with little or no changes to components,
> including HDFS, HBase, Zookeeper, Hive, Spark.... Please look at
> https://github.com/apache/directory-kerby/tree/has-project/has/supports
> for details.
> >
> > Practice
> > This solution has been deployed in Alibaba Cloud E-MapReduce production.
> >
> > Why to merge?
> > HAS provides a complete Hadoop/Spark authentication framework and
> solution based on Kerberos, HAS can help to upgrade Kerby KDC, make it more
> solid and stronger. And if HAS can be merged to Apache Kerby, community
> will help HAS grow faster and users can more easily using this solution in
> their own production. We have two suggestions about how to merge:
> > - Option1:
> > Create a standalone module "kerby-has", putting HAS project under this
> module.
> > - Option2:
> > Suggest replacing kerby-kdc module with HAS, upgrade the Kerby KDC.
> >
> > Contributors:
> > Jiajia, Li (Intel)
> > Lin, Zeng (Intel)
> > Zhiqiang, Zhang (Intel)
> > Kai, Zheng (Intel)
> > Wei, Wu (Alibaba)
> > Jun, Song (Alibaba)
> > Long, Cao (Alibaba)
> > Zhenyuan, Wei (Alibaba)
> >
> > Your review efforts are truly appreciated, please feel free to provide
> us your feedback.
> >
> > Regards,
> > Jiajia
> >
> >
> >
> >
>
>


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message