directory-kerby mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: [DISCUSS] Merge HAS to Apache Kerby
Date Wed, 06 Dec 2017 15:22:47 GMT
Hi Jiajia,

Perhaps you could get one of the Alibaba contributors to mail "
secretary@apache.org" and ask if there is a CCLA on record?

Colm.

On Tue, Dec 5, 2017 at 1:49 AM, Li, Jiajia <jiajia.li@intel.com> wrote:

> I think Intel have provided the CCLA when contributing Kerby to Apache.
> But I'm not sure whether Alibaba already provided, is there one place we
> could check it?
>
>
>
> Thanks,
>
> Jiajia
>
>
>
> *From:* Colm O hEigeartaigh [mailto:coheigea@apache.org]
> *Sent:* Tuesday, December 5, 2017 1:50 AM
> *To:* kerby@directory.apache.org
> *Cc:* Apache Directory Developers List <dev@directory.apache.org>
> *Subject:* Re: [DISCUSS] Merge HAS to Apache Kerby
>
>
>
> Do we have both CCLAs filed for Intel and Alibaba?
>
> Colm.
>
>
>
> On Mon, Dec 4, 2017 at 6:36 AM, Li, Jiajia <jiajia.li@intel.com> wrote:
>
> Hi all,
>
> Here with some status update, now all the contributors have provided the
> ICLA to secretary@apache.org and I've create the master JIRA(
> https://issues.apache.org/jira/browse/DIRKRB-671) for this merging.
> Any more suggestions on how to merge?
>
> Thanks,
> Jiajia
>
> From: Li, Jiajia [mailto:jiajia.li@intel.com]
> Sent: Thursday, November 30, 2017 1:38 PM
> To: coheigea@apache.org
> Cc: kerby@directory.apache.org; Apache Directory Developers List <
> dev@directory.apache.org>
> Subject: RE: [DISCUSS] Merge HAS to Apache Kerby
>
> Hi Colm,
>
> > What I meant with the point about the backend, is that it should be
> configurable whether to just trust the signature of the presented auth
> token as sufficient validation, without requiring any MySQL backend. For
> example, the token might be issued by an IdP that HAS "trusts", where the
> IdP has an identity backend of which HAS knows nothing about.
>
> Now I understand what you mean. There are there reasons for using backend:
> 1. If user using the new authentication mechanism(Kerberos-based token
> authentication), the TGT(ticket granting ticket) could be got without
> backend. But TGT is not enough to access the service, after getting the
> TGT, next step is to get SGT(Ticket for Service), in this step, the service
> principal is needed in backend.
> 2. The new authentication mechanism is used by the end users instead of
> service level, services are still strongly authenticated by Kerberos, they
> through the keytabs to login.
> 3. Users or admins sometimes want to using "kinit" to get credential cache
> to manage the cluster, for the compatibility.
>
> > One final overall point, is that HAS looks a bit like a
> SecurityTokenService (STS). Apache CXF ships with a STS that I am very
> familiar with. It is a web application that supports a SOAP and REST
> interface to issue, validate tokens etc, where you can "plug in" the tokens
> that are supported. It might be worth exploring if the functionality of HAS
> could be integrated with the CXF STS.
>
> I do not know much about SecurityTokenService, from your introduction, I
> think STS could issue token and validate token, that is exactly the
> existing authentication system HAS wants to plugin, we can write the client
> and server plugins for STS, then using STS in HAS framework. Please correct
> me if I'm wrong.
>
> We think it's more suitable to be integrated with kerby with following
> reasons:
> 1. The new authentication mechanism ("Kerberos-based token
> authentication") is based on the "TokenPreauth" provided in Kerby, using
> AuthToken to exchange a Kerberos ticket.
> 2. The REST APIs not only for the new authentication, also provide some
> useful interfaces, such as:  config Kerby KDC, manage the Kerby backend,
> export keytab files. These could help Kerby KDC to be stronger.
> 3. HAS binds webserver and Kerby KDC very closely, they are all included
> in HasServer(we can rename it after merging), we could also think the
> webserver is one part of Kerby KDC, we using the webserver for KDC to
> receive some requests from HTTPs client.
>
> Thanks
> Jiajia
> From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> Sent: Wednesday, November 29, 2017 10:58 PM
>
> To: Li, Jiajia <jiajia.li@intel.com<mailto:jiajia.li@intel.com>>
> Cc: kerby@directory.apache.org<mailto:kerby@directory.apache.org>; Apache
> Directory Developers List <dev@directory.apache.org<mailto:
> dev@directory.apache.org>>
> Subject: Re: [DISCUSS] Merge HAS to Apache Kerby
>
> Hi Jiajia,
> What I meant with the point about the backend, is that it should be
> configurable whether to just trust the signature of the presented auth
> token as sufficient validation, without requiring any MySQL backend. For
> example, the token might be issued by an IdP that HAS "trusts", where the
> IdP has an identity backend of which HAS knows nothing about.
>
> One final overall point, is that HAS looks a bit like a
> SecurityTokenService (STS). Apache CXF ships with a STS that I am very
> familiar with. It is a web application that supports a SOAP and REST
> interface to issue, validate tokens etc, where you can "plug in" the tokens
> that are supported. It might be worth exploring if the functionality of HAS
> could be integrated with the CXF STS.
>
> Colm.
>
>
> Thanks,
> Jiajia
>
> -----Original Message-----
> From: Colm O hEigeartaigh [mailto:coheigea@apache.org<mailto:
> coheigea@apache.org>]
> Sent: Tuesday, November 28, 2017 9:12 PM
> To: Li, Jiajia <jiajia.li@intel.com<mailto:jiajia.li@intel.com>>
> Cc: kerby@directory.apache.org<mailto:kerby@directory.apache.org>; Apache
> Directory Developers List <dev@directory.apache.org<mailto:
> dev@directory.apache.org>>
> Subject: Re: [DISCUSS] Merge HAS to Apache Kerby
> Thanks Jiajia, that was very helpful. I have some questions:
>
> There are no HasClientPlugin implementations in the commit (unless I
> missed them). Is the plan to provide some later on, or is the user supposed
> to implement their own?
>
> If we want to get Kerby to issue a TGT using an AuthToken currently, we
> have to use a token armor cache. In HAS, when it queries Kerby to get a TGT
> using the verified AuthToken, is this just an "internal" call so we can
> avoid this step?
>
> I'm not sure why we need to verify the user information in the SQL backend.
> If the received AuthToken is signed by a trusted IdP, can we not just
> accept the identity of the user "as is" and skip this step?
>
> KinitTool and KinitOption in has-client-tool duplicate the Kerby versions
> with just a few changes. Can the changes be rolled into Kerby to prevent
> code duplication?
>
> Colm.
>
> On Tue, Nov 28, 2017 at 2:16 AM, Li, Jiajia <jiajia.li@intel.com<mailto:ji
> ajia.li@intel.com>> wrote:
>
> > Thanks Colm.
> >
> > > It sounds like a really interesting project.
> > I'm glad to here that.
> >
> > > Have you got any feedback from the Hadoop project about it?
> > We haven't proposed this solution in the hadoop community.
> >
> > > I'm finding it hard to understand exactly how it works though based
> > > on
> > the README. Could you describe how it works from a really basic point
> > of view for say a simple Hadoop client? Normally I just have to use
> > "kinit" to get a kerberos ticket and then I am authenticated to invoke
> > on HDFS. How does HAS work differently? Where does the token pre-auth
> stuff fit in?
> >
> > Following are the steps of user accessing HDFS service, taking the cmd
> > "hadoop fs -ls /" as an example:
> > 1. user runs the command "hadoop fs -ls /"
> > 2. Hadoop client will call the "HasLoginModule",
> > https://github.com/apache/directory-kerby/blob/has-
> > project/has/has-client/src/main/java/org/apache/hadoop/
> > has/client/HasLoginModule.java
> > 3. "HasLoginModule" will call the "HasClient",
> > https://github.com/apache/
> > directory-kerby/blob/438904f7e557a085c8c336efd2d2be
> > 304291d246/has/has-client/src/main/java/org/apache/hadoop/
> > has/client/HasLoginModule.java#L237
> > 4. "HasClient" will get the plugin type from config, then choose the
> > right client plugin, the client plugin will collect and add some user
> > info to "AuthToken", the following is the client plugin interface:
> >
> > // Get the login module type ID, used to distinguish this module from
> > others.
> > // Should correspond to the server side module.
> > String getLoginType()
> >
> > // Perform all the client side login logics, the results wrapped in an
> > AuthToken, // will be validated by HAS server.
> > AuthToken login(Conf loginConf) throws HasLoginException
> >
> > 5. Then "HasClient" sends the "AuthToken" to HAS Server through HTTPS;
> > 6. After HAS server receives the message, it will call the server
> > plugin, server plugin will verify the user info in AuthToken, the
> > following is the server plugin interface:
> >
> > // Get the login module type ID, used to distinguish this module from
> > others.
> > // Should correspond to the client side module.
> > String getLoginType()
> >
> > // Perform all the server side authentication logics, the results
> > wrapped in an "AuthToken", // will be used to exchange a Kerberos
> > ticket.
> > AuthToken authenticate(AuthToken userToken) throws HasAuthenException
> >
> > 7. If the user info is verified in existing user authentication
> > system, server plugin will return the verified "AuthToken" to Kerby
> > KDC 8. Kerby KDC will issue the TGT ticket using the TokenPreauth,
> > then send the TGT to HasClient through HTTPS 9. Now user login
> > successful, could continue the others steps, such as:
> > getting SGT ticket.
> >
> > We replace the step through "kinit" to get Kerberos Ticket. There are
> > two important benefits:
> > 1. The user's principal may not be in the backend, security admins
> > won't have to migrate and sync up their user accounts to Kerberos back
> and forth.
> > 2. Multiple users could run the job at the same time and in the same
> > machine, through collecting user info from environment variables in
> step4.
> >
> >
> > Thanks,
> > Jiajia
> >
> > -----Original Message-----
> > From: Colm O hEigeartaigh [mailto:coheigea@apache.org<mailto:
> coheigea@apache.org>]
> > Sent: Monday, November 27, 2017 6:54 PM
> > To: kerby@directory.apache.org<mailto:kerby@directory.apache.org>
> > Cc: Apache Directory Developers List <dev@directory.apache.org<mailto:
> dev@directory.apache.org>>
> > Subject: Re: [DISCUSS] Merge HAS to Apache Kerby
> >
> > Hi Jiajia,
> >
> > It sounds like a really interesting project. Have you got any feedback
> > from the Hadoop project about it?
> >
> > I'm finding it hard to understand exactly how it works though based on
> > the README. Could you describe how it works from a really basic point
> > of view for say a simple Hadoop client? Normally I just have to use
> > "kinit" to get a kerberos ticket and then I am authenticated to invoke
> > on HDFS. How does HAS work differently? Where does the token pre-auth
> stuff fit in?
> >
> > Colm.
> >
> >
> > On Fri, Nov 24, 2017 at 3:30 AM, Li, Jiajia <jiajia.li@intel.com<mailto:
> jiajia.li@intel.com>> wrote:
> >
> > > Hi all,
> > >
> > > I would like to post a proposal about merging a new project HAS
> > > (Hadoop Authentication Service) to Apache Kerby. HAS is led by Intel
> > > and Alibaba, it is a solution to support the authentication of open
> > > source big data ecosystem in cloud computing platforms. I've created
> > > a new branch "has-project" in Kerby, HAS is under "has" folder.
> > > Please look at
> > > https://github.com/apache/directory-kerby/tree/has-project/has
> > > for details.
> > >
> > > Background and motivation:
> > > At present, the open source big data ecosystems (Hadoop/Spark) only
> > > has the built-in Kerberos support on the security authentication.
> > > HAS aims to build a standalone authentication service for the big
> > > data ecosystem that simplifies the support of Kerberos and allows to
> > > use more authentication methods.
> > >
> > > Targets users:
> > > HAS supports various authentication mechanisms other than just
> > > Kerberos, and it provides a new authentication mechanism can be easy
> > > customized and plugin with existing user authentication and
> > > authorization system, and security admins won't have to migrate and
> > > sync up their user accounts to Kerberos back and forth.
> > >
> > > Architecture & Design:
> > > HAS provides a new authentication mechanism ("Kerberos-based token
> > > authentication"), depending on the "TokenPreauth" provided by Apache
> > Kerby.
> > > Please look at
> > > https://github.com/apache/directory-kerby/blob/has-project/
> > > has/README.md for details.
> > >
> > > Features:
> > > 1.      Provides new authentication mechanism plugin APIs to customize
> > and
> > > plugin with existing user authentication and authorization system.
> > > Please look at
> > > https://github.com/apache/directory-kerby/blob/has-project/
> > > has/README.md for details.
> > > 2.      Provides lots of REST APIs and facility tools to simplify the
> > > support of Kerberos. Kerberos is essentially a protocol, or secure
> > > channel, doesn't have to be that complex to users. Please look at
> > > https://github.com/apache/directory-kerby/blob/has-project/
> > > has/doc/rest-api.md<http://rest-api.md> for details.
> > > 3.      Provides MySQL backend for High Availability. Please look at
> > > https://github.com/apache/directory-kerby/blob/has-project/
> > > has/doc/mysql-backend.md<http://mysql-backend.md> for details.
> > > 4.      New authentication mechanism now supports most of the
> components
> > > of open source big data ecosystem with little or no changes to
> > > components, including HDFS, HBase, Zookeeper, Hive, Spark.... Please
> > > look at
> > > https://github.com/apache/directory-kerby/tree/has-project/has/suppo
> > > rt
> > > s
> > > for details.
> > >
> > > Practice
> > > This solution has been deployed in Alibaba Cloud E-MapReduce
> production.
> > >
> > > Why to merge?
> > > HAS provides a complete Hadoop/Spark authentication framework and
> > > solution based on Kerberos, HAS can help to upgrade Kerby KDC, make
> > > it more solid and stronger. And if HAS can be merged to Apache
> > > Kerby, community will help HAS grow faster and users can more easily
> > > using this solution in their own production. We have two suggestions
> > > about how
> > to merge:
> > > - Option1:
> > > Create a standalone module "kerby-has", putting HAS project under
> > > this module.
> > > - Option2:
> > > Suggest replacing kerby-kdc module with HAS, upgrade the Kerby KDC.
> > >
> > > Contributors:
> > > Jiajia, Li (Intel)
> > > Lin, Zeng (Intel)
> > > Zhiqiang, Zhang (Intel)
> > > Kai, Zheng (Intel)
> > > Wei, Wu (Alibaba)
> > > Jun, Song (Alibaba)
> > > Long, Cao (Alibaba)
> > > Zhenyuan, Wei (Alibaba)
> > >
> > > Your review efforts are truly appreciated, please feel free to
> > > provide us your feedback.
> > >
> > > Regards,
> > > Jiajia
> > >
> > >
> > >
> > >
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
>
>
>
> --
>
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message