Return-Path: X-Original-To: apmail-hadoop-common-issues-archive@minotaur.apache.org Delivered-To: apmail-hadoop-common-issues-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id F183E11065 for ; Sat, 13 Sep 2014 18:34:34 +0000 (UTC) Received: (qmail 87157 invoked by uid 500); 13 Sep 2014 18:34:34 -0000 Delivered-To: apmail-hadoop-common-issues-archive@hadoop.apache.org Received: (qmail 87104 invoked by uid 500); 13 Sep 2014 18:34:34 -0000 Mailing-List: contact common-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: common-issues@hadoop.apache.org Delivered-To: mailing list common-issues@hadoop.apache.org Received: (qmail 87092 invoked by uid 99); 13 Sep 2014 18:34:34 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 13 Sep 2014 18:34:34 +0000 Date: Sat, 13 Sep 2014 18:34:34 +0000 (UTC) From: "Allen Wittenauer (JIRA)" To: common-issues@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (HADOOP-9392) Token based authentication and Single Sign On MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HADOOP-9392?page=3Dcom.atlassi= an.jira.plugin.system.issuetabpanels:all-tabpanel ] Allen Wittenauer updated HADOOP-9392: ------------------------------------- Fix Version/s: (was: 3.0.0) > Token based authentication and Single Sign On > --------------------------------------------- > > Key: HADOOP-9392 > URL: https://issues.apache.org/jira/browse/HADOOP-9392 > Project: Hadoop Common > Issue Type: New Feature > Components: security > Reporter: Kai Zheng > Assignee: Yi Liu > Attachments: TokenAuth-breakdown.pdf, token-based-authn-plus-sso-= v2.0.pdf, token-based-authn-plus-sso.pdf > > > This is an umbrella entry for one of project Rhino=E2=80=99s topic, for d= etails of project Rhino, please refer to https://github.com/intel-hadoop/pr= oject-rhino/. The major goal for this entry as described in project Rhino w= as=20 > =20 > =E2=80=9CCore, HDFS, ZooKeeper, and HBase currently support Kerberos auth= entication at the RPC layer, via SASL. However this does not provide valuab= le attributes such as group membership, classification level, organizationa= l identity, or support for user defined attributes. Hadoop components must = interrogate external resources for discovering these attributes and at scal= e this is problematic. There is also no consistent delegation model. HDFS h= as a simple delegation capability, and only Oozie can take limited advantag= e of it. We will implement a common token based authentication framework to= decouple internal user and service authentication from external mechanisms= used to support it (like Kerberos)=E2=80=9D > =20 > We=E2=80=99d like to start our work from Hadoop-Common and try to provide= common facilities by extending existing authentication framework which sup= port: > 1.=09Pluggable token provider interface=20 > 2.=09Pluggable token verification protocol and interface > 3.=09Security mechanism to distribute secrets in cluster nodes > 4.=09Delegation model of user authentication -- This message was sent by Atlassian JIRA (v6.3.4#6332)