Return-Path: X-Original-To: apmail-hadoop-common-issues-archive@minotaur.apache.org Delivered-To: apmail-hadoop-common-issues-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id EC52C10A6A for ; Tue, 9 Jul 2013 18:57:55 +0000 (UTC) Received: (qmail 84339 invoked by uid 500); 9 Jul 2013 18:57:53 -0000 Delivered-To: apmail-hadoop-common-issues-archive@hadoop.apache.org Received: (qmail 84228 invoked by uid 500); 9 Jul 2013 18:57:53 -0000 Mailing-List: contact common-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: common-issues@hadoop.apache.org Delivered-To: mailing list common-issues@hadoop.apache.org Received: (qmail 84011 invoked by uid 99); 9 Jul 2013 18:57:52 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 09 Jul 2013 18:57:52 +0000 Date: Tue, 9 Jul 2013 18:57:52 +0000 (UTC) From: "James C. Wu (JIRA)" To: common-issues@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (HADOOP-9392) Token based authentication and Single Sign On MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HADOOP-9392?page=3Dcom.atlassia= n.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=3D137= 03646#comment-13703646 ]=20 James C. Wu commented on HADOOP-9392: ------------------------------------- On page 9 of the new document, Hadoop web browser access, I am concerned ab= out step 7. When the browser authenticates to the remote Idp, and forwards = the results to the TAS for Hadoop identity token, how can TAS be sure that = the authentication result sent by the browser is not faked? =20 > Token based authentication and Single Sign On > --------------------------------------------- > > Key: HADOOP-9392 > URL: https://issues.apache.org/jira/browse/HADOOP-9392 > Project: Hadoop Common > Issue Type: New Feature > Components: security > Reporter: Kai Zheng > Assignee: Kai Zheng > Fix For: 3.0.0 > > Attachments: token-based-authn-plus-sso.pdf, token-based-authn-pl= us-sso-v2.0.pdf > > > This is an umbrella entry for one of project Rhino=E2=80=99s topic, for d= etails of project Rhino, please refer to https://github.com/intel-hadoop/pr= oject-rhino/. The major goal for this entry as described in project Rhino w= as=20 > =20 > =E2=80=9CCore, HDFS, ZooKeeper, and HBase currently support Kerberos auth= entication at the RPC layer, via SASL. However this does not provide valuab= le attributes such as group membership, classification level, organizationa= l identity, or support for user defined attributes. Hadoop components must = interrogate external resources for discovering these attributes and at scal= e this is problematic. There is also no consistent delegation model. HDFS h= as a simple delegation capability, and only Oozie can take limited advantag= e of it. We will implement a common token based authentication framework to= decouple internal user and service authentication from external mechanisms= used to support it (like Kerberos)=E2=80=9D > =20 > We=E2=80=99d like to start our work from Hadoop-Common and try to provide= common facilities by extending existing authentication framework which sup= port: > 1.=09Pluggable token provider interface=20 > 2.=09Pluggable token verification protocol and interface > 3.=09Security mechanism to distribute secrets in cluster nodes > 4.=09Delegation model of user authentication -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrato= rs For more information on JIRA, see: http://www.atlassian.com/software/jira