Return-Path: X-Original-To: apmail-hadoop-common-issues-archive@minotaur.apache.org Delivered-To: apmail-hadoop-common-issues-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id D6EAD18956 for ; Wed, 10 Jun 2015 20:31:01 +0000 (UTC) Received: (qmail 72109 invoked by uid 500); 10 Jun 2015 20:31:01 -0000 Delivered-To: apmail-hadoop-common-issues-archive@hadoop.apache.org Received: (qmail 72051 invoked by uid 500); 10 Jun 2015 20:31:01 -0000 Mailing-List: contact common-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: common-issues@hadoop.apache.org Delivered-To: mailing list common-issues@hadoop.apache.org Received: (qmail 72039 invoked by uid 99); 10 Jun 2015 20:31:01 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 10 Jun 2015 20:31:01 +0000 Date: Wed, 10 Jun 2015 20:31:01 +0000 (UTC) From: "Hrishikesh Gadre (JIRA)" To: common-issues@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (HADOOP-12082) Support multiple authentication schemes via AuthenticationFilter MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HADOOP-12082?page=3Dcom.atlassi= an.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=3D14= 581034#comment-14581034 ]=20 Hrishikesh Gadre commented on HADOOP-12082: ------------------------------------------- [~lmccay] >>It's a shame that there doesn't seem to be a way to present a Bearer toke= n authentication scheme. Not really. HTTP specs support Bearer token authentication. Please take a l= ook at http://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml I think we would need to add another AuthenticationHandler implementing Bea= rer tokens and add it to MultiSchemeAuthenticationHandler (Please see the a= ttached file multi-scheme-auth-support-poc.patch). > Support multiple authentication schemes via AuthenticationFilter > ---------------------------------------------------------------- > > Key: HADOOP-12082 > URL: https://issues.apache.org/jira/browse/HADOOP-12082 > Project: Hadoop Common > Issue Type: Improvement > Components: security > Affects Versions: 2.6.0 > Reporter: Hrishikesh Gadre > Attachments: multi-scheme-auth-support-poc.patch > > > The requirement is to support LDAP based authentication scheme via Hadoop= AuthenticationFilter. HADOOP-9054 added a support to plug-in custom authen= tication scheme (in addition to Kerberos) via AltKerberosAuthenticationHand= ler class. But it is based on selecting the authentication mechanism based = on User-Agent HTTP header which does not conform to HTTP protocol semantics= . > As per [RFC-2616|http://www.w3.org/Protocols/rfc2616/rfc2616.html] > - HTTP protocol provides a simple challenge-response authentication mecha= nism that can be used by a server to challenge a client request and by a cl= ient to provide the necessary authentication information.=20 > - This mechanism is initiated by server sending the 401 (Authenticate) re= sponse with =E2=80=98WWW-Authenticate=E2=80=99 header which includes at lea= st one challenge that indicates the authentication scheme(s) and parameters= applicable to the Request-URI.=20 > - In case server supports multiple authentication schemes, it may return = multiple challenges with a 401 (Authenticate) response, and each challenge = may use a different auth-scheme.=20 > - A user agent MUST choose to use the strongest auth-scheme it understand= s and request credentials from the user based upon that challenge. > The existing Hadoop authentication filter implementation supports Kerbero= s authentication scheme and uses =E2=80=98Negotiate=E2=80=99 as the challen= ge as part of =E2=80=98WWW-Authenticate=E2=80=99 response header. As per th= e following documentation, =E2=80=98Negotiate=E2=80=99 challenge scheme is = only applicable to Kerberos (and Windows NTLM) authentication schemes. > [SPNEGO-based Kerberos and NTLM HTTP Authentication|http://tools.ietf.org= /html/rfc4559] > [Understanding HTTP Authentication|https://msdn.microsoft.com/en-us/libra= ry/ms789031%28v=3Dvs.110%29.aspx] > On the other hand for LDAP authentication, typically =E2=80=98Basic=E2=80= =99 authentication scheme is used (Note TLS is mandatory with Basic authent= ication scheme). > http://httpd.apache.org/docs/trunk/mod/mod_authnz_ldap.html > Hence for this feature, the idea would be to provide a custom implementat= ion of Hadoop AuthenticationHandler and Authenticator interfaces which woul= d support both schemes - Kerberos (via Negotiate auth challenge) and LDAP (= via Basic auth challenge). During the authentication phase, it would send b= oth the challenges and let client pick the appropriate one. If client respo= nds with an =E2=80=98Authorization=E2=80=99 header tagged with =E2=80=98Neg= otiate=E2=80=99 - it will use Kerberos authentication. If client responds w= ith an =E2=80=98Authorization=E2=80=99 header tagged with =E2=80=98Basic=E2= =80=99 - it will use LDAP authentication. > Note - some HTTP clients (e.g. curl or Apache Http Java client) need to b= e configured to use one scheme over the other e.g. > - curl tool supports option to use either Kerberos (via --negotiate flag)= or username/password based authentication (via --basic and -u flags).=20 > - Apache HttpClient library can be configured to use specific authenticat= ion scheme. > http://hc.apache.org/httpcomponents-client-ga/tutorial/html/authenticatio= n.html > Typically web browsers automatically choose an authentication scheme base= d on a notion of =E2=80=9Cstrength=E2=80=9D of security. e.g. take a look a= t the [design of Chrome browser for HTTP authentication|https://www.chromiu= m.org/developers/design-documents/http-authentication] -- This message was sent by Atlassian JIRA (v6.3.4#6332)