hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jerry Chen (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HADOOP-9798) TokenAuth Implementation - HAS
Date Tue, 30 Jul 2013 08:55:48 GMT
Jerry Chen created HADOOP-9798:
----------------------------------

             Summary: TokenAuth Implementation - HAS
                 Key: HADOOP-9798
                 URL: https://issues.apache.org/jira/browse/HADOOP-9798
             Project: Hadoop Common
          Issue Type: Sub-task
          Components: security
    Affects Versions: 3.0.0
            Reporter: Jerry Chen


HAS is a complete and enterprise ready security solution based on TokenAuth framework proposed
by HADOOP-9392 and utilizing the common facilities provided by the framework. It provides
all the necessary implementations of entities, interfaces and services defined in the framework
that’s required by industrial deployment.

As a major goal for Rhino, HAS addresses AAA (Authentication, Authorization and Auditing)
concerns for Hadoop across the ecosystem. The 'A' of HAS could be explained as "Authentication",
"Authorization", or "Auditing", depending on which role(s) HAS is configured with. In high
level considerations, we may need Authentication Server, Authorization Server, or Auditing
Server, and such servers would be great to be combined into one centralized server, or be
deployed separately regarding performance or network concerns. Currently we're mainly focusing
on "Authentication" and "Authorization", and these two roles can be configured in one server
instance or in separate server instances.

A more detailed scope of HAS implementation is as follows:
* Define and implement the common and management facilities shared across the implementation
of different services. These include configuration mechanism for services, persistent API
and method for loading and storing data, auditing and logging API, shared high availability
approach, REST API framework and authentication and so on.

* Define and implement Authentication Server role for HAS. The authentication server provides
identity authentication service and issues identity token. The authentication can be configured
with a chain of authentication modules for providing multi-factor authentication ability.
By default, we will support AD (as LDAP) / LDAP authentication module and AD (as Kerberos)
/ Kerberos authentication module.

* Define and implement Authorization Server role for HAS. The authorization server includes
service level authorization, access token issue and fine-grained authorization service.

* Implement Attribute Service for HAS, to allow integration of third party attribute authorities.
The Attribute Service provides the ability to connect and retrieve attributes from different
attribute sources such as LDAP or Database.

* Provides authorization enforcement library for Hadoop services to enforce security policies
utilizing related services provided by the Authorization Server. To enforce the fine-grained
authorization policies, the policies must be loaded, synchronized, and evaluated at Hadoop
side.


--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message