hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Larry McCay (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-9392) Token based authentication and Single Sign On
Date Thu, 13 Jun 2013 14:22:24 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-9392?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13682280#comment-13682280

Larry McCay commented on HADOOP-9392:

A thank you to those that attended the prep-call yesterday for the summit security session.
While not all interested parties were able to make it to this call, we were able to lay some
groundwork for moving forward in being prepared. We intend to schedule another call for next
week at a more globally appropriate time. In the mean time, the following is a summary of
the call from yesterday and should be used to frame the agenda for the next call.

Prep-call Summary


Community driven collaboration examples
* HDFS-HA as a successful model
	- break out concrete areas that can be worked on by different parties but are aligned and
	- HDFS-HA apparently did this between at least two contributing parties with functionality
separated into things like:
		a. client failover/recovery
		b. transaction journalling to support the recovery
Roadmap to prepare for summit:

* Describe overall end-state goals for the Hadoop Security Model for Authentication (keep
the scope focused on authn)
* Canonical security concerns and threats for an authentication system that is an alternative
to kerberos
	- add as document or subtask of https://issues.apache.org/jira/browse/HADOOP-9621
* Describe the various tasks/projects that are required for reaching our goals
	- reconcile existing Jiras as subtasks of others as appropriate

Ideally at summit we will be able to focus on:

* Identify a phased approach to reaching our goals
* Identify the best form of collaboration model for the effort
* Identify natural seams of separation for collaboration
* Interested contributors commit to specific aspects of the effort

> Token based authentication and Single Sign On
> ---------------------------------------------
>                 Key: HADOOP-9392
>                 URL: https://issues.apache.org/jira/browse/HADOOP-9392
>             Project: Hadoop Common
>          Issue Type: New Feature
>          Components: security
>            Reporter: Kai Zheng
>            Assignee: Kai Zheng
>             Fix For: 3.0.0
>         Attachments: token-based-authn-plus-sso.pdf
> This is an umbrella entry for one of project Rhino’s topic, for details of project
Rhino, please refer to https://github.com/intel-hadoop/project-rhino/. The major goal for
this entry as described in project Rhino was 
> “Core, HDFS, ZooKeeper, and HBase currently support Kerberos authentication at the
RPC layer, via SASL. However this does not provide valuable attributes such as group membership,
classification level, organizational identity, or support for user defined attributes. Hadoop
components must interrogate external resources for discovering these attributes and at scale
this is problematic. There is also no consistent delegation model. HDFS has a simple delegation
capability, and only Oozie can take limited advantage of it. We will implement a common token
based authentication framework to decouple internal user and service authentication from external
mechanisms used to support it (like Kerberos)”
> We’d like to start our work from Hadoop-Common and try to provide common facilities
by extending existing authentication framework which support:
> 1.	Pluggable token provider interface 
> 2.	Pluggable token verification protocol and interface
> 3.	Security mechanism to distribute secrets in cluster nodes
> 4.	Delegation model of user authentication

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

View raw message