hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sanjay Radia (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-9392) Token based authentication and Single Sign On
Date Fri, 12 Jul 2013 18:19:54 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-9392?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13707194#comment-13707194
] 

Sanjay Radia commented on HADOOP-9392:
--------------------------------------

This document helps clarify the proposal. Thanks. I would like to improve terminology confusion
in two area: the terms *token* and *Token authentication service".  
* Hadoop already has tokens used for authentication. Discussions in this jira clarified that
the hadoop tokens were general and not limited to hdfs as was originally mentioned in this
Jira. 
 * Further all authentication solutions use tokens/tickets and "token-based" is not the distinguishing
characteristic of this solution. Indeed its distinguishing characteristics is a different
model for pluggability. 

Hence I would like to propose to change the name of TAS and also add a suffix or prefix to
the new tokens to avoid confusion with the Hadoop tokens.  The TAS is really a federated authentication
service, where each TAS is centralized. So how about calling it an  Hadoop Authentication
service HAS. Or perhaps a Pluggable Authentication Service - PAS (or HPAS?).  Indeed pluggability
is its distinguishing characteristics - you don't have to  plugin on the RPC layer but in
this service. As for the name of the new tokens:  PAS-tokens or HAS-tokens depending on whether
the service is called HAS or PAS. 


                
> Token based authentication and Single Sign On
> ---------------------------------------------
>
>                 Key: HADOOP-9392
>                 URL: https://issues.apache.org/jira/browse/HADOOP-9392
>             Project: Hadoop Common
>          Issue Type: New Feature
>          Components: security
>            Reporter: Kai Zheng
>            Assignee: Kai Zheng
>             Fix For: 3.0.0
>
>         Attachments: token-based-authn-plus-sso.pdf, token-based-authn-plus-sso-v2.0.pdf
>
>
> This is an umbrella entry for one of project Rhino’s topic, for details of project
Rhino, please refer to https://github.com/intel-hadoop/project-rhino/. The major goal for
this entry as described in project Rhino was 
>  
> “Core, HDFS, ZooKeeper, and HBase currently support Kerberos authentication at the
RPC layer, via SASL. However this does not provide valuable attributes such as group membership,
classification level, organizational identity, or support for user defined attributes. Hadoop
components must interrogate external resources for discovering these attributes and at scale
this is problematic. There is also no consistent delegation model. HDFS has a simple delegation
capability, and only Oozie can take limited advantage of it. We will implement a common token
based authentication framework to decouple internal user and service authentication from external
mechanisms used to support it (like Kerberos)”
>  
> We’d like to start our work from Hadoop-Common and try to provide common facilities
by extending existing authentication framework which support:
> 1.	Pluggable token provider interface 
> 2.	Pluggable token verification protocol and interface
> 3.	Security mechanism to distribute secrets in cluster nodes
> 4.	Delegation model of user authentication

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message