Mailing-List: contact common-issues-help@hadoop.apache.org; run by ezmlm
Precedence: bulk
Reply-To: common-issues@hadoop.apache.org
Date: Tue, 25 Jun 2013 02:54:21 +0000 (UTC)
From: "Kai Zheng (JIRA)" <jira@apache.org>
To: common-issues@hadoop.apache.org
Message-ID: <JIRA.12653959.1371744139002.169431.1372128861229@arcas>
In-Reply-To: <JIRA.12653959.1371744139002@arcas>
References: <JIRA.12653959.1371744139002@arcas>
Subject: [jira] [Commented] (HADOOP-9659) Hadoop authentication enhancement
 use cases, goals, requirements and constraints
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit


    [ https://issues.apache.org/jira/browse/HADOOP-9659?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13692704#comment-13692704 ] 

Kai Zheng commented on HADOOP-9659:
-----------------------------------

Kevin your user cases make sense and I'm happy we share most of them.

>>UC1. Integrate with Kerberos (backwards compatibility).
TokenAuth proposes to include a 'Relaxed Kerberos authentication' deployment model which allows Hadoop services to go with Kerberos to secure the whole cluster, meanwhile enables to integrate and employ enterprise dominant IdPs like ActiveDirectory for end users. Does this make sense to you or what do think to implement this case?

>>UC2. Integrate with desktop ActiveDirectory login (backwards compatibility).
This sure makes sense for Hadoop deployment on Windows platform. Do you consider to support how client on Windows to authenticate and access to Hadoop deployment on Linux?

>>UC3. Integrate with LDAP only without Kerberos infrastructure.
For such identity store without typical web sso flow support that can be found in IdPs like Ping Federate,  McAfee Cloud Identity Manager and etc, TAS in TokenAuth provides common built-in web endpoint to serve as IdP to allow web browser access to Hadoop web interface. Do you think it works for HSSO?

>>UC4. Integrate with Ping Federate. 
>>UC5. Integrate with Windows Azure Active Directory.
These are two concrete and important IdPs with typical web sso support. Any difference between the two so we need two cases to cover them? 

UC6. Integrate with OpenStack Keystone.
>>This is the interesting one. What facilities should TokenAuth or HSSO provide to support this? Should we consider this as a high priority?

                
> Hadoop authentication enhancement use cases, goals, requirements and constraints
> --------------------------------------------------------------------------------
>
>                 Key: HADOOP-9659
>                 URL: https://issues.apache.org/jira/browse/HADOOP-9659
>             Project: Hadoop Common
>          Issue Type: Task
>          Components: security
>            Reporter: Kevin Minder
>            Priority: Critical
>
> We need to collect use cases, goals, requirements and constraints in a central location to inform all of the various efforts underway to improve Hadoop security initially focusing on authentication.
> For each use case we need to consider the following variations:
> A) Hadoop CLI client, B) cURL REST client, C) Browser WebUI client, D) Gateway and direct access for A,B,C
> UC1. Integrate with Kerberos (backwards compatibility).
> UC2. Integrate with desktop ActiveDirectory login (backwards compatibility).
> UC3. Integrate with LDAP only without Kerberos infrastructure.
> UC4. Integrate with Ping Federate. 
> UC5. Integrate with Windows Azure Active Directory.
> UC6. Integrate with OpenStack Keystone.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira