Return-Path: 
 <common-issues-return-48714-apmail-hadoop-common-issues-archive=hadoop.apache.org@hadoop.apache.org>
X-Original-To: apmail-hadoop-common-issues-archive@minotaur.apache.org
Delivered-To: apmail-hadoop-common-issues-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 6A9C910197
	for <apmail-hadoop-common-issues-archive@minotaur.apache.org>;
 Sun,  9 Jun 2013 07:16:28 +0000 (UTC)
Received: (qmail 73238 invoked by uid 500); 9 Jun 2013 07:16:27 -0000
Delivered-To: apmail-hadoop-common-issues-archive@hadoop.apache.org
Received: (qmail 71652 invoked by uid 500); 9 Jun 2013 07:16:21 -0000
Mailing-List: contact common-issues-help@hadoop.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:common-issues-help@hadoop.apache.org>
List-Unsubscribe: <mailto:common-issues-unsubscribe@hadoop.apache.org>
List-Post: <mailto:common-issues@hadoop.apache.org>
List-Id: <common-issues.hadoop.apache.org>
Reply-To: common-issues@hadoop.apache.org
Delivered-To: mailing list common-issues@hadoop.apache.org
Received: (qmail 71596 invoked by uid 99); 9 Jun 2013 07:16:20 -0000
Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 09 Jun 2013 07:16:20 +0000
Date: Sun, 9 Jun 2013 07:16:20 +0000 (UTC)
From: "Kai Zheng (JIRA)" <jira@apache.org>
To: common-issues@hadoop.apache.org
Message-ID: <JIRA.12636348.1363003127597.90717.1370762180252@arcas>
In-Reply-To: <JIRA.12636348.1363003127597@arcas>
References: <JIRA.12636348.1363003127597@arcas>
Subject: [jira] [Commented] (HADOOP-9392) Token based authentication and
 Single Sign On
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394


    [ https://issues.apache.org/jira/browse/HADOOP-9392?page=3Dcom.atlassia=
n.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=3D136=
78961#comment-13678961 ]=20

Kai Zheng commented on HADOOP-9392:
-----------------------------------

Daryn =E2=80=93

bq. Delegation tokens are embedded at the RPC layer, so it's a capability t=
hat any service using the common RPC may use.
=20
Thanks for the clarification. Yes that part was misspoken. The term =E2=80=
=98delegation=E2=80=99 is being overloaded here. The relevant fact is deleg=
ation can be done only where Hadoop RPC is used. We will update the documen=
t to be more clear about issues of delegation.
=20
bq. Given all the discussions involving more radical changes to the securit=
y framework, I'm very keen to providing the modularity required to implemen=
t these systems, but in a manner that will not destabilize the existing sec=
urity implementation, else Yahoo's 2.x deployments may be delayed.
=20
Agreed. The proposal here implements Hadoop side changes using SASL and Had=
oop RPC of today as a starting point, with a requirement that the end resul=
t remains backwards compatible and interoperable with existing deployments.
=20
Kevin =E2=80=93=20
=20
bq. Aligning this area of work across all interested parties is critical. W=
e need to be able to clearly articulate the goals of the effort and then un=
derstand how we can all work together to accomplish them without duplicate,=
 conflicting work and destabilizing Hadoop. [=E2=80=A6] We all have differe=
nt ideas and are approaching this from different angles. We need to figure =
out how all the puzzle pieces fit together.

This is exactly what we hoped opening this JIRA would spark and would like =
very much for the whole community of interested parties to work in a cooper=
ative way.  In addition to putting up an agenda for the summit meetup to br=
ing some structure, bringing all related discussion under the umbrella of t=
his JIRA would perhaps be helpful in having everyone working together.

               =20
> Token based authentication and Single Sign On
> ---------------------------------------------
>
>                 Key: HADOOP-9392
>                 URL: https://issues.apache.org/jira/browse/HADOOP-9392
>             Project: Hadoop Common
>          Issue Type: New Feature
>          Components: security
>            Reporter: Kai Zheng
>            Assignee: Kai Zheng
>             Fix For: 3.0.0
>
>         Attachments: token-based-authn-plus-sso.pdf
>
>
> This is an umbrella entry for one of project Rhino=E2=80=99s topic, for d=
etails of project Rhino, please refer to https://github.com/intel-hadoop/pr=
oject-rhino/. The major goal for this entry as described in project Rhino w=
as=20
> =20
> =E2=80=9CCore, HDFS, ZooKeeper, and HBase currently support Kerberos auth=
entication at the RPC layer, via SASL. However this does not provide valuab=
le attributes such as group membership, classification level, organizationa=
l identity, or support for user defined attributes. Hadoop components must =
interrogate external resources for discovering these attributes and at scal=
e this is problematic. There is also no consistent delegation model. HDFS h=
as a simple delegation capability, and only Oozie can take limited advantag=
e of it. We will implement a common token based authentication framework to=
 decouple internal user and service authentication from external mechanisms=
 used to support it (like Kerberos)=E2=80=9D
> =20
> We=E2=80=99d like to start our work from Hadoop-Common and try to provide=
 common facilities by extending existing authentication framework which sup=
port:
> 1.=09Pluggable token provider interface=20
> 2.=09Pluggable token verification protocol and interface
> 3.=09Security mechanism to distribute secrets in cluster nodes
> 4.=09Delegation model of user authentication

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrato=
rs
For more information on JIRA, see: http://www.atlassian.com/software/jira