hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Larry McCay (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-11717) Add Redirecting WebSSO behavior with JWT Token in Hadoop Auth
Date Tue, 07 Apr 2015 15:34:14 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-11717?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14483372#comment-14483372
] 

Larry McCay commented on HADOOP-11717:
--------------------------------------

There may very well be usecases where encryption is necessary. I didn't mean to say that it
is never needed.
This handler is not trying to do anymore than it does.

Keep in mind that as a pluggable handler that this mechanism is completely replaceable with
some other implementation that fits the needs of a given cluster deployment better. There
is no precedence being set here that can't be replaced.

At the same time, furthering the work done in this patch with follow up improvements is a
great plan to move it forward. It is much easier than trying to do everything at once.

As for the SSO behavior:

Yes, I have configured the signer secrets to be alike, the cookie domain to work across UIs
and the expiry of the JWT token to work in various ways across the UIs with a single redirect
for authentication.

The fact that webhdfs has a completely different authentication filter means that REST requests
work as normally expected - in this case it will require SPNEGO.

{quote} 
I thought you agreed to have general token stuff in some time in future even not now, so why
won't we use more general configuration name here right now? 
{quote}

I have no problem with a general token API. The use of a handler specific configuration element
shouldn't impact this at all. It is up to the handler to pass the appropriate parameters to
the API.

Thank you for your insights and discussion here,  [~drankye].
We will continue to evolve this work to meet as many usecases as appropriate and have a truly
useful feature set here.
Having it align with future work will also be great.


> Add Redirecting WebSSO behavior with JWT Token in Hadoop Auth
> -------------------------------------------------------------
>
>                 Key: HADOOP-11717
>                 URL: https://issues.apache.org/jira/browse/HADOOP-11717
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>            Reporter: Larry McCay
>            Assignee: Larry McCay
>             Fix For: 2.8.0
>
>         Attachments: HADOOP-11717-1.patch, HADOOP-11717-2.patch, HADOOP-11717-3.patch,
HADOOP-11717-4.patch, HADOOP-11717-5.patch, HADOOP-11717-6.patch, HADOOP-11717-7.patch, HADOOP-11717-8.patch,
RedirectingWebSSOwithJWTforHadoopWebUIs.pdf
>
>
> Extend AltKerberosAuthenticationHandler to provide WebSSO flow for UIs.
> The actual authentication is done by some external service that the handler will redirect
to when there is no hadoop.auth cookie and no JWT token found in the incoming request.
> Using JWT provides a number of benefits:
> * It is not tied to any specific authentication mechanism - so buys us many SSO integrations
> * It is cryptographically verifiable for determining whether it can be trusted
> * Checking for expiration allows for a limited lifetime and window for compromised use
> This will introduce the use of nimbus-jose-jwt library for processing, validating and
parsing JWT tokens.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message