hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Larry McCay (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-11717) Add Redirecting WebSSO behavior with JWT Token in Hadoop Auth
Date Sun, 15 Mar 2015 04:02:38 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-11717?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14362187#comment-14362187
] 

Larry McCay commented on HADOOP-11717:
--------------------------------------

Hello [~drankye] - Good to hear from you. I think that there is certainly room for making
a pluggable validation mechanism. I'd rather not slow down progress by trying to do too much
here though. Let's do as little as we can here to get the job done. If subclassing the proposed
class and overriding a particular validation method will suffice then I think that should
be the short term goal. I'm not sure that we need a specific classname configuration item
for a token validator but I could be convinced otherwise. The JWT validation rules are pretty
clear and we are covering the main ones in this patch.

* signature verification
* expiration date validation
* audience validation

There isn't anything for scopes yet - if you have particular needs there then we should add
it.

I suggest that we get something simple in for now and evolve it as needed.

I am happy to see that we are aligned on nimbus - the API is simple and succinct and works
as expected. I have been really pleased with it.

> Add Redirecting WebSSO behavior with JWT Token in Hadoop Auth
> -------------------------------------------------------------
>
>                 Key: HADOOP-11717
>                 URL: https://issues.apache.org/jira/browse/HADOOP-11717
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>            Reporter: Larry McCay
>            Assignee: Larry McCay
>         Attachments: HADOOP-11717-1.patch, HADOOP-11717-2.patch
>
>
> Extend AltKerberosAuthenticationHandler to provide WebSSO flow for UIs.
> The actual authentication is done by some external service that the handler will redirect
to when there is no hadoop.auth cookie and no JWT token found in the incoming request.
> Using JWT provides a number of benefits:
> * It is not tied to any specific authentication mechanism - so buys us many SSO integrations
> * It is cryptographically verifiable for determining whether it can be trusted
> * Checking for expiration allows for a limited lifetime and window for compromised use
> This will introduce the use of nimbus-jose-jwt library for processing, validating and
parsing JWT tokens.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message