hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kai Zheng (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-9392) Token based authentication and Single Sign On
Date Sun, 09 Jun 2013 07:16:20 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-9392?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13678961#comment-13678961

Kai Zheng commented on HADOOP-9392:

Daryn –

bq. Delegation tokens are embedded at the RPC layer, so it's a capability that any service
using the common RPC may use.
Thanks for the clarification. Yes that part was misspoken. The term ‘delegation’ is being
overloaded here. The relevant fact is delegation can be done only where Hadoop RPC is used.
We will update the document to be more clear about issues of delegation.
bq. Given all the discussions involving more radical changes to the security framework, I'm
very keen to providing the modularity required to implement these systems, but in a manner
that will not destabilize the existing security implementation, else Yahoo's 2.x deployments
may be delayed.
Agreed. The proposal here implements Hadoop side changes using SASL and Hadoop RPC of today
as a starting point, with a requirement that the end result remains backwards compatible and
interoperable with existing deployments.
Kevin – 
bq. Aligning this area of work across all interested parties is critical. We need to be able
to clearly articulate the goals of the effort and then understand how we can all work together
to accomplish them without duplicate, conflicting work and destabilizing Hadoop. […] We
all have different ideas and are approaching this from different angles. We need to figure
out how all the puzzle pieces fit together.

This is exactly what we hoped opening this JIRA would spark and would like very much for the
whole community of interested parties to work in a cooperative way.  In addition to putting
up an agenda for the summit meetup to bring some structure, bringing all related discussion
under the umbrella of this JIRA would perhaps be helpful in having everyone working together.

> Token based authentication and Single Sign On
> ---------------------------------------------
>                 Key: HADOOP-9392
>                 URL: https://issues.apache.org/jira/browse/HADOOP-9392
>             Project: Hadoop Common
>          Issue Type: New Feature
>          Components: security
>            Reporter: Kai Zheng
>            Assignee: Kai Zheng
>             Fix For: 3.0.0
>         Attachments: token-based-authn-plus-sso.pdf
> This is an umbrella entry for one of project Rhino’s topic, for details of project
Rhino, please refer to https://github.com/intel-hadoop/project-rhino/. The major goal for
this entry as described in project Rhino was 
> “Core, HDFS, ZooKeeper, and HBase currently support Kerberos authentication at the
RPC layer, via SASL. However this does not provide valuable attributes such as group membership,
classification level, organizational identity, or support for user defined attributes. Hadoop
components must interrogate external resources for discovering these attributes and at scale
this is problematic. There is also no consistent delegation model. HDFS has a simple delegation
capability, and only Oozie can take limited advantage of it. We will implement a common token
based authentication framework to decouple internal user and service authentication from external
mechanisms used to support it (like Kerberos)”
> We’d like to start our work from Hadoop-Common and try to provide common facilities
by extending existing authentication framework which support:
> 1.	Pluggable token provider interface 
> 2.	Pluggable token verification protocol and interface
> 3.	Security mechanism to distribute secrets in cluster nodes
> 4.	Delegation model of user authentication

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

View raw message