Return-Path: X-Original-To: apmail-hadoop-common-issues-archive@minotaur.apache.org Delivered-To: apmail-hadoop-common-issues-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id C270C173D1 for ; Sat, 28 Mar 2015 03:31:53 +0000 (UTC) Received: (qmail 87245 invoked by uid 500); 28 Mar 2015 03:31:53 -0000 Delivered-To: apmail-hadoop-common-issues-archive@hadoop.apache.org Received: (qmail 87188 invoked by uid 500); 28 Mar 2015 03:31:53 -0000 Mailing-List: contact common-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: common-issues@hadoop.apache.org Delivered-To: mailing list common-issues@hadoop.apache.org Received: (qmail 87173 invoked by uid 99); 28 Mar 2015 03:31:53 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 28 Mar 2015 03:31:53 +0000 Date: Sat, 28 Mar 2015 03:31:53 +0000 (UTC) From: "Kai Zheng (JIRA)" To: common-issues@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (HADOOP-11717) Add Redirecting WebSSO behavior with JWT Token in Hadoop Auth MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HADOOP-11717?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14385091#comment-14385091 ] Kai Zheng commented on HADOOP-11717: ------------------------------------ [~lmccay], looks like we don't consider token encryption and decryption, right ? It's good to get this in since it gets the job well done. As I mentioned in this JIRA earlier and discussed in HADOOP-11766, we also have bunch of codes related this in TokenAuth related efforts. We're refining our existing codes and will break them down into smaller ones. We would incorporate this part rather than duplicating something. As already widely discussed and agreed, we need more generic token APIs and common pluggable and configurable facilities like token encoder, decoder and validation. We will refine our codes plus this work in tasks in HADOOP-11766. Thanks for the work ! > Add Redirecting WebSSO behavior with JWT Token in Hadoop Auth > ------------------------------------------------------------- > > Key: HADOOP-11717 > URL: https://issues.apache.org/jira/browse/HADOOP-11717 > Project: Hadoop Common > Issue Type: Improvement > Components: security > Reporter: Larry McCay > Assignee: Larry McCay > Attachments: HADOOP-11717-1.patch, HADOOP-11717-2.patch, HADOOP-11717-3.patch, HADOOP-11717-4.patch, HADOOP-11717-5.patch, HADOOP-11717-6.patch, HADOOP-11717-7.patch > > > Extend AltKerberosAuthenticationHandler to provide WebSSO flow for UIs. > The actual authentication is done by some external service that the handler will redirect to when there is no hadoop.auth cookie and no JWT token found in the incoming request. > Using JWT provides a number of benefits: > * It is not tied to any specific authentication mechanism - so buys us many SSO integrations > * It is cryptographically verifiable for determining whether it can be trusted > * Checking for expiration allows for a limited lifetime and window for compromised use > This will introduce the use of nimbus-jose-jwt library for processing, validating and parsing JWT tokens. -- This message was sent by Atlassian JIRA (v6.3.4#6332)