hadoop-common-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hrishikesh Gadre (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HADOOP-12082) Support multiple authentication schemes via AuthenticationFilter
Date Wed, 10 Jun 2015 17:56:00 GMT
Hrishikesh Gadre created HADOOP-12082:

             Summary: Support multiple authentication schemes via AuthenticationFilter
                 Key: HADOOP-12082
                 URL: https://issues.apache.org/jira/browse/HADOOP-12082
             Project: Hadoop Common
          Issue Type: Improvement
          Components: security
    Affects Versions: 2.6.0
            Reporter: Hrishikesh Gadre

The requirement is to support LDAP based authentication scheme via Hadoop AuthenticationFilter.
HADOOP-9054 added a support to plug-in custom authentication scheme (in addition to Kerberos)
via AltKerberosAuthenticationHandler class. But it is based on selecting the authentication
mechanism based on User-Agent HTTP header which does not conform to HTTP protocol semantics.

As per [RFC-2616|http://www.w3.org/Protocols/rfc2616/rfc2616.html]

- HTTP protocol provides a simple challenge-response authentication mechanism that can be
used by a server to challenge a client request and by a client to provide the necessary authentication
- This mechanism is initiated by server sending the 401 (Authenticate) response with ‘WWW-Authenticate’
header which includes at least one challenge that indicates the authentication scheme(s) and
parameters applicable to the Request-URI. 
- In case server supports multiple authentication schemes, it may return multiple challenges
with a 401 (Authenticate) response, and each challenge may use a different auth-scheme. 
- A user agent MUST choose to use the strongest auth-scheme it understands and request credentials
from the user based upon that challenge.

The existing Hadoop authentication filter implementation supports Kerberos authentication
scheme and uses ‘Negotiate’ as the challenge as part of ‘WWW-Authenticate’ response
header. As per the following documentation, ‘Negotiate’ challenge scheme is only applicable
to Kerberos (and Windows NTLM) authentication schemes.
[SPNEGO-based Kerberos and NTLM HTTP Authentication|http://tools.ietf.org/html/rfc4559]
[Understanding HTTP Authentication|https://msdn.microsoft.com/en-us/library/ms789031%28v=vs.110%29.aspx]

On the other hand for LDAP authentication, typically ‘Basic’ authentication scheme is
used (Note TLS is mandatory with Basic authentication scheme).

Hence for this feature, the idea would be to provide a custom implementation of Hadoop AuthenticationHandler
and Authenticator interfaces which would support both schemes - Kerberos (via Negotiate auth
challenge) and LDAP (via Basic auth challenge). During the authentication phase, it would
send both the challenges and let client pick the appropriate one. If client responds with
an ‘Authorization’ header tagged with ‘Negotiate’ - it will use Kerberos authentication.
If client responds with an ‘Authorization’ header tagged with ‘Basic’ - it will use
LDAP authentication.

Note - some HTTP clients (e.g. curl or Apache Http Java client) need to be configured to use
one scheme over the other e.g.
- curl tool supports option to use either Kerberos (via --negotiate flag) or username/password
based authentication (via --basic and -u flags). 
- Apache HttpClient library can be configured to use specific authentication scheme.

Typically web browsers automatically choose an authentication scheme based on a notion of
“strength” of security. e.g. take a look at the [design of Chrome browser for HTTP authentication|https://www.chromium.org/developers/design-documents/http-authentication]

This message was sent by Atlassian JIRA

View raw message