Return-Path: 
 <common-issues-return-50085-apmail-hadoop-common-issues-archive=hadoop.apache.org@hadoop.apache.org>
X-Original-To: apmail-hadoop-common-issues-archive@minotaur.apache.org
Delivered-To: apmail-hadoop-common-issues-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id BC171106A6
	for <apmail-hadoop-common-issues-archive@minotaur.apache.org>;
 Wed, 10 Jul 2013 22:35:53 +0000 (UTC)
Received: (qmail 91579 invoked by uid 500); 10 Jul 2013 22:35:53 -0000
Delivered-To: apmail-hadoop-common-issues-archive@hadoop.apache.org
Received: (qmail 91552 invoked by uid 500); 10 Jul 2013 22:35:53 -0000
Mailing-List: contact common-issues-help@hadoop.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:common-issues-help@hadoop.apache.org>
List-Unsubscribe: <mailto:common-issues-unsubscribe@hadoop.apache.org>
List-Post: <mailto:common-issues@hadoop.apache.org>
List-Id: <common-issues.hadoop.apache.org>
Reply-To: common-issues@hadoop.apache.org
Delivered-To: mailing list common-issues@hadoop.apache.org
Received: (qmail 91543 invoked by uid 99); 10 Jul 2013 22:35:53 -0000
Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 10 Jul 2013 22:35:53 +0000
Date: Wed, 10 Jul 2013 22:35:53 +0000 (UTC)
From: "Tianyou Li (JIRA)" <jira@apache.org>
To: common-issues@hadoop.apache.org
Message-ID: <JIRA.12636348.1363003127597.29062.1373495753379@arcas>
In-Reply-To: <JIRA.12636348.1363003127597@arcas>
References: <JIRA.12636348.1363003127597@arcas>
Subject: [jira] [Commented] (HADOOP-9392) Token based authentication and
 Single Sign On
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394


    [ https://issues.apache.org/jira/browse/HADOOP-9392?page=3Dcom.atlassia=
n.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=3D137=
05174#comment-13705174 ]=20

Tianyou Li commented on HADOOP-9392:
------------------------------------

Hi James,=20

Thanks for reviewing. For Web SSO flow, usually the IdP will issue a token =
which is signed to ensure data integrity. So the token issued by IdP as a r=
esult of IdP authentication cannot be modified because the signing key is a=
 secret of IdP, other parties cannot get the signing key so the token canno=
t be modified.=20

Moreover, once client is redirect to IdP for authentication, the client usu=
ally need to verify and accept server certificate as a step of trust for th=
e IdP via SSL(https), in this way to ensure credentials client is providing=
 are routed to trusted IdP via secured channel. TAS also need to verify the=
 signature of the token issued by that IdP, this step will prove that token=
 is exactly issued by the designate IdP and can be authenticated successful=
ly with TAS.

As mentioned above, TLS/SSL should be enabled to protect credentials transm=
ission during authentication process with IdP, and mitigate with MITM attac=
k. To further improve the client authN security, multi-factor such as addit=
ional OTP authentication can also be employed, this is one of our design go=
al but might not be explicitly mentioned.

Regards.

               =20
> Token based authentication and Single Sign On
> ---------------------------------------------
>
>                 Key: HADOOP-9392
>                 URL: https://issues.apache.org/jira/browse/HADOOP-9392
>             Project: Hadoop Common
>          Issue Type: New Feature
>          Components: security
>            Reporter: Kai Zheng
>            Assignee: Kai Zheng
>             Fix For: 3.0.0
>
>         Attachments: token-based-authn-plus-sso.pdf, token-based-authn-pl=
us-sso-v2.0.pdf
>
>
> This is an umbrella entry for one of project Rhino=E2=80=99s topic, for d=
etails of project Rhino, please refer to https://github.com/intel-hadoop/pr=
oject-rhino/. The major goal for this entry as described in project Rhino w=
as=20
> =20
> =E2=80=9CCore, HDFS, ZooKeeper, and HBase currently support Kerberos auth=
entication at the RPC layer, via SASL. However this does not provide valuab=
le attributes such as group membership, classification level, organizationa=
l identity, or support for user defined attributes. Hadoop components must =
interrogate external resources for discovering these attributes and at scal=
e this is problematic. There is also no consistent delegation model. HDFS h=
as a simple delegation capability, and only Oozie can take limited advantag=
e of it. We will implement a common token based authentication framework to=
 decouple internal user and service authentication from external mechanisms=
 used to support it (like Kerberos)=E2=80=9D
> =20
> We=E2=80=99d like to start our work from Hadoop-Common and try to provide=
 common facilities by extending existing authentication framework which sup=
port:
> 1.=09Pluggable token provider interface=20
> 2.=09Pluggable token verification protocol and interface
> 3.=09Security mechanism to distribute secrets in cluster nodes
> 4.=09Delegation model of user authentication

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrato=
rs
For more information on JIRA, see: http://www.atlassian.com/software/jira