hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Thomas NGUY (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-9392) Token based authentication and Single Sign On
Date Mon, 22 Apr 2013 02:39:17 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-9392?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13637736#comment-13637736
] 

Thomas NGUY commented on HADOOP-9392:
-------------------------------------

Thank you for you answer Kai.

As you have noticed, someone has recently created a JIRA to allow new authentification mechanisms
based on JaaS and SaSl in Hadoop. 
https://issues.apache.org/jira/browse/HADOOP-9479
His work could be very interesting for us since we're basically trying to implement a new
authentification mechanism in order to keep the code backward compatible.

Plus, his work could be coupled with https://github.com/biancini/Shibboleth-Authentication/tree/master/jaas_module
which is a JaaS module for Shibboleth.
But I guess, Shibboleth cannot be used as it is, since it doesnt provide token. 

Concerning the "Common token", the idea, if I'm not wrong, is to insert the user attributes
in it so Hadoop internal services won't need to call a pluggable function to get them. However,
does that mean that the "common token" will also be transmitted to Hadoop internal service??
Because we already have a token to authentificate to Hadoop internal services ( Delegation
Token, Job Token ...)  and it means that we will have to deal with 2 tokens.

Thanks for reading me.
                
> Token based authentication and Single Sign On
> ---------------------------------------------
>
>                 Key: HADOOP-9392
>                 URL: https://issues.apache.org/jira/browse/HADOOP-9392
>             Project: Hadoop Common
>          Issue Type: New Feature
>          Components: security
>            Reporter: Kai Zheng
>             Fix For: 3.0.0
>
>
> This is an umbrella entry for one of project Rhino’s topic, for details of project
Rhino, please refer to https://github.com/intel-hadoop/project-rhino/. The major goal for
this entry as described in project Rhino was 
>  
> “Core, HDFS, ZooKeeper, and HBase currently support Kerberos authentication at the
RPC layer, via SASL. However this does not provide valuable attributes such as group membership,
classification level, organizational identity, or support for user defined attributes. Hadoop
components must interrogate external resources for discovering these attributes and at scale
this is problematic. There is also no consistent delegation model. HDFS has a simple delegation
capability, and only Oozie can take limited advantage of it. We will implement a common token
based authentication framework to decouple internal user and service authentication from external
mechanisms used to support it (like Kerberos)”
>  
> We’d like to start our work from Hadoop-Common and try to provide common facilities
by extending existing authentication framework which support:
> 1.	Pluggable token provider interface 
> 2.	Pluggable token verification protocol and interface
> 3.	Security mechanism to distribute secrets in cluster nodes
> 4.	Delegation model of user authentication

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message