hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kai Zheng (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-9659) Hadoop authentication enhancement use cases, goals, requirements and constraints
Date Tue, 25 Jun 2013 02:54:21 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-9659?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13692704#comment-13692704
] 

Kai Zheng commented on HADOOP-9659:
-----------------------------------

Kevin your user cases make sense and I'm happy we share most of them.

>>UC1. Integrate with Kerberos (backwards compatibility).
TokenAuth proposes to include a 'Relaxed Kerberos authentication' deployment model which allows
Hadoop services to go with Kerberos to secure the whole cluster, meanwhile enables to integrate
and employ enterprise dominant IdPs like ActiveDirectory for end users. Does this make sense
to you or what do think to implement this case?

>>UC2. Integrate with desktop ActiveDirectory login (backwards compatibility).
This sure makes sense for Hadoop deployment on Windows platform. Do you consider to support
how client on Windows to authenticate and access to Hadoop deployment on Linux?

>>UC3. Integrate with LDAP only without Kerberos infrastructure.
For such identity store without typical web sso flow support that can be found in IdPs like
Ping Federate,  McAfee Cloud Identity Manager and etc, TAS in TokenAuth provides common built-in
web endpoint to serve as IdP to allow web browser access to Hadoop web interface. Do you think
it works for HSSO?

>>UC4. Integrate with Ping Federate. 
>>UC5. Integrate with Windows Azure Active Directory.
These are two concrete and important IdPs with typical web sso support. Any difference between
the two so we need two cases to cover them? 

UC6. Integrate with OpenStack Keystone.
>>This is the interesting one. What facilities should TokenAuth or HSSO provide to support
this? Should we consider this as a high priority?

                
> Hadoop authentication enhancement use cases, goals, requirements and constraints
> --------------------------------------------------------------------------------
>
>                 Key: HADOOP-9659
>                 URL: https://issues.apache.org/jira/browse/HADOOP-9659
>             Project: Hadoop Common
>          Issue Type: Task
>          Components: security
>            Reporter: Kevin Minder
>            Priority: Critical
>
> We need to collect use cases, goals, requirements and constraints in a central location
to inform all of the various efforts underway to improve Hadoop security initially focusing
on authentication.
> For each use case we need to consider the following variations:
> A) Hadoop CLI client, B) cURL REST client, C) Browser WebUI client, D) Gateway and direct
access for A,B,C
> UC1. Integrate with Kerberos (backwards compatibility).
> UC2. Integrate with desktop ActiveDirectory login (backwards compatibility).
> UC3. Integrate with LDAP only without Kerberos infrastructure.
> UC4. Integrate with Ping Federate. 
> UC5. Integrate with Windows Azure Active Directory.
> UC6. Integrate with OpenStack Keystone.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message