hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Larry McCay (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-9804) Hadoop RPC TokenAuthn method
Date Fri, 01 Nov 2013 14:11:20 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-9804?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13811266#comment-13811266
] 

Larry McCay commented on HADOOP-9804:
-------------------------------------

It seems from various discussions that we have had on the mailing lists and at Hadoop Summit
2013 that what folks want is the ability for the services to continue to authenticate via
kerberos and allow user authentication to happen via some pluggable way. I am curious what
this will mean for:

* negotiation - does the negotiation allow for selecting different methods
* if the both choose TokenAuth (or whatever the name becomes) and they can be configured to
realize the token in different ways than I guess the negotiation isn't an issue
* the ability for a client side authentication in the SASL layer to authenticate via LDAP
- for instance - and the server side in the SASL layer to authenticate via kerberos
* do we have each authenticate and present a canonical token to each other here 
* does this described scenario necessitate changes in the current patch here

> Hadoop RPC TokenAuthn method
> ----------------------------
>
>                 Key: HADOOP-9804
>                 URL: https://issues.apache.org/jira/browse/HADOOP-9804
>             Project: Hadoop Common
>          Issue Type: Task
>          Components: security
>            Reporter: Kai Zheng
>            Assignee: Kai Zheng
>              Labels: TokenAuth
>             Fix For: 3.0.0
>
>         Attachments: HADOOP-9804-v1.patch
>
>
> As defined in TokenAuth framework, TokenAuthn as a new authentication method is to be
added in current Hadoop SASL authentication framework, to allow client to access service with
access token. The scope of this is as follows: 
>  
> * Add a new SASL mechanism for TokenAuthn method, including necessary SASL client and
SASL server with corresponding callbacks;
> * Add TokenAuthn method in UGI and allow the method to be configured for Hadoop and the
ecosystem;
> * Allow TokenAuthn method to be negotiated between client and server;
> * Define the IDP-initiated flow and SP-initiated flow in the RPC access;
> * Allow access token to be negotiated between client and server, considering both IDP-initiated
case and SP-initiated case. 



--
This message was sent by Atlassian JIRA
(v6.1#6144)

Mime
View raw message