hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kai Zheng (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-9392) Token based authentication and Single Sign On
Date Fri, 07 Jun 2013 12:45:41 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-9392?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13677998#comment-13677998

Kai Zheng commented on HADOOP-9392:

Hi Sanjay, thanks for your comments.

You’re right we are using the term “delegation” in a different, more generic way. Hadoop
has delegation tokens for HDFS access that can be transmitted through to MR jobs. We are talking
about delegating authentication and authorization in a pluggable way throughout the entire
ecosystem. What we meant by inconsistent is the ecosystem coverage for delegation, it can’t
be done everywhere, Hadoop delegation today is HDFS centric.

We did not mean to imply that Hadoop had no decoupling, instead we mean our framework will
have this trait. Yes you’re right we imply other issues, and you might agree that the implementation
of UGI should change so authentication mechanisms can plug in more easily. In my understanding,
Daryn might be working on those issues related to allow plugin authentication mechanisms but
in the current way. As you said this jira proposes much more than this and it targets to support
plugin authentication mechanisms in TAS via a TokenAuthn method in current framework based
on token, so that Hadoop ecosystem components only needs to talk to the token without understanding
or involving concrete authentication mechanisms.

Regarding the jira description thanks for your suggestion. It’s not the whole story, we
mean “Single Sign On for Kerberos or Non-Kerberos environments using tokens”. We want
to extend what Hadoop can do today with Kerberos to encompass additional authenticators and
identify providers.

We don’t mean to replace current Hadoop tokens (delegation token, block token, job token
and etc). In my view, they’re internal tokens, TokenAuth token is more like UGI equivalent,
so we believe the new token can coexist with the old tokens, as the doc mentions and also
discussed previously with Thomas. I agree we might have two phases, in phase 1 we introduce
TAS as authentication to external system, trying not to change internal tokens. And in phase
2 we might improve those tokens or have better support for such tokens utilizing the new authn
& authz framework if we find such possibilities or space.

> Token based authentication and Single Sign On
> ---------------------------------------------
>                 Key: HADOOP-9392
>                 URL: https://issues.apache.org/jira/browse/HADOOP-9392
>             Project: Hadoop Common
>          Issue Type: New Feature
>          Components: security
>            Reporter: Kai Zheng
>            Assignee: Kai Zheng
>             Fix For: 3.0.0
>         Attachments: token-based-authn-plus-sso.pdf
> This is an umbrella entry for one of project Rhino’s topic, for details of project
Rhino, please refer to https://github.com/intel-hadoop/project-rhino/. The major goal for
this entry as described in project Rhino was 
> “Core, HDFS, ZooKeeper, and HBase currently support Kerberos authentication at the
RPC layer, via SASL. However this does not provide valuable attributes such as group membership,
classification level, organizational identity, or support for user defined attributes. Hadoop
components must interrogate external resources for discovering these attributes and at scale
this is problematic. There is also no consistent delegation model. HDFS has a simple delegation
capability, and only Oozie can take limited advantage of it. We will implement a common token
based authentication framework to decouple internal user and service authentication from external
mechanisms used to support it (like Kerberos)”
> We’d like to start our work from Hadoop-Common and try to provide common facilities
by extending existing authentication framework which support:
> 1.	Pluggable token provider interface 
> 2.	Pluggable token verification protocol and interface
> 3.	Security mechanism to distribute secrets in cluster nodes
> 4.	Delegation model of user authentication

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

View raw message