hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kai Zheng (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-11717) Add Redirecting WebSSO behavior with JWT Token in Hadoop Auth
Date Tue, 07 Apr 2015 15:10:15 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-11717?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14483330#comment-14483330
] 

Kai Zheng commented on HADOOP-11717:
------------------------------------

bq.Encryption is great where it is required. It isn't required here ...
This work should not just solve your case. We should not suppose all JWT tokens are issued
as you expected. Assume some JWT token with encrypted attributes, how would this handle it?
As I said, this can be followed up later, but you disagreed at all.
bq.The reason that it extends AltKerberosAuthenticationHandler is to accommodate non-browser
clients...
I see no reason we have to couple with AltKerberosAuthenticationHandler. It looks rather complicated,
even so why we won't have a dedicated handler to handle all the cases? Wouldn't it be easier?
If I missed anything please correct me. Thanks.
bq.As I answered previously, there is no need to pull the JWT code into a generic token handling
utility at this point...
I agree. I'm not saying we should do this right now. I will follow up in other issues. Agree?
bq.This handler already works for HDFS and YARN UIs - I have tested them.
Sounds good. Did you get the SSO effect across all  the UIs, say only ONE time redirection
to the authentication provider url happened in a reasonable time when you go here and there?
How about web HDFS?
bq.I see little value in the configuration element changes...
I thought it's worth to pay attention to introduce new configuration items. Once it's used,
we'll need to maintain it.
public.key.pem to token.signature.publickey, so it will be easy to add another key, token.encryption.privatekey.
bq.Replacing JWT with token does make it more general but this handler really is about JWT
support
I thought you agreed to have general token stuff in some time in future even not now, so why
won't we use more general configuration name here right now?


> Add Redirecting WebSSO behavior with JWT Token in Hadoop Auth
> -------------------------------------------------------------
>
>                 Key: HADOOP-11717
>                 URL: https://issues.apache.org/jira/browse/HADOOP-11717
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>            Reporter: Larry McCay
>            Assignee: Larry McCay
>         Attachments: HADOOP-11717-1.patch, HADOOP-11717-2.patch, HADOOP-11717-3.patch,
HADOOP-11717-4.patch, HADOOP-11717-5.patch, HADOOP-11717-6.patch, HADOOP-11717-7.patch, HADOOP-11717-8.patch,
RedirectingWebSSOwithJWTforHadoopWebUIs.pdf
>
>
> Extend AltKerberosAuthenticationHandler to provide WebSSO flow for UIs.
> The actual authentication is done by some external service that the handler will redirect
to when there is no hadoop.auth cookie and no JWT token found in the incoming request.
> Using JWT provides a number of benefits:
> * It is not tied to any specific authentication mechanism - so buys us many SSO integrations
> * It is cryptographically verifiable for determining whether it can be trusted
> * Checking for expiration allows for a limited lifetime and window for compromised use
> This will introduce the use of nimbus-jose-jwt library for processing, validating and
parsing JWT tokens.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message