hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hadoop QA (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-12082) Support multiple authentication schemes via AuthenticationFilter
Date Mon, 17 Oct 2016 01:33:00 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-12082?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15580890#comment-15580890
] 

Hadoop QA commented on HADOOP-12082:
------------------------------------

| (x) *{color:red}-1 overall{color}* |
\\
\\
|| Vote || Subsystem || Runtime || Comment ||
| {color:blue}0{color} | {color:blue} reexec {color} | {color:blue}  0m 19s{color} | {color:blue}
Docker mode activated. {color} |
| {color:green}+1{color} | {color:green} @author {color} | {color:green}  0m  0s{color} |
{color:green} The patch does not contain any @author tags. {color} |
| {color:green}+1{color} | {color:green} test4tests {color} | {color:green}  0m  0s{color}
| {color:green} The patch appears to include 4 new or modified test files. {color} |
| {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue}  1m 35s{color} | {color:blue}
Maven dependency ordering for branch {color} |
| {color:green}+1{color} | {color:green} mvninstall {color} | {color:green}  6m 44s{color}
| {color:green} trunk passed {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green}  6m 48s{color} |
{color:green} trunk passed {color} |
| {color:green}+1{color} | {color:green} checkstyle {color} | {color:green}  1m 28s{color}
| {color:green} trunk passed {color} |
| {color:green}+1{color} | {color:green} mvnsite {color} | {color:green}  1m 26s{color} |
{color:green} trunk passed {color} |
| {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green}  0m 35s{color}
| {color:green} trunk passed {color} |
| {color:blue}0{color} | {color:blue} findbugs {color} | {color:blue}  0m  0s{color} | {color:blue}
Skipped patched modules with no Java source: hadoop-project {color} |
| {color:green}+1{color} | {color:green} findbugs {color} | {color:green}  1m 47s{color} |
{color:green} trunk passed {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green}  1m 10s{color} |
{color:green} trunk passed {color} |
| {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue}  0m 18s{color} | {color:blue}
Maven dependency ordering for patch {color} |
| {color:green}+1{color} | {color:green} mvninstall {color} | {color:green}  1m  5s{color}
| {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green}  6m 48s{color} |
{color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} javac {color} | {color:green}  6m 48s{color} | {color:green}
the patch passed {color} |
| {color:orange}-0{color} | {color:orange} checkstyle {color} | {color:orange}  1m 33s{color}
| {color:orange} root: The patch generated 27 new + 151 unchanged - 6 fixed = 178 total (was
157) {color} |
| {color:red}-1{color} | {color:red} mvnsite {color} | {color:red}  0m 21s{color} | {color:red}
hadoop-auth in the patch failed. {color} |
| {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green}  0m 47s{color}
| {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} whitespace {color} | {color:green}  0m  0s{color}
| {color:green} The patch has no whitespace issues. {color} |
| {color:green}+1{color} | {color:green} xml {color} | {color:green}  0m  2s{color} | {color:green}
The patch has no ill-formed XML file. {color} |
| {color:blue}0{color} | {color:blue} findbugs {color} | {color:blue}  0m  0s{color} | {color:blue}
Skipped patched modules with no Java source: hadoop-project {color} |
| {color:green}+1{color} | {color:green} findbugs {color} | {color:green}  2m  7s{color} |
{color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green}  1m 20s{color} |
{color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} unit {color} | {color:green}  0m 15s{color} | {color:green}
hadoop-project in the patch passed. {color} |
| {color:green}+1{color} | {color:green} unit {color} | {color:green}  3m 35s{color} | {color:green}
hadoop-auth in the patch passed. {color} |
| {color:green}+1{color} | {color:green} unit {color} | {color:green}  8m 13s{color} | {color:green}
hadoop-common in the patch passed. {color} |
| {color:green}+1{color} | {color:green} asflicense {color} | {color:green}  0m 28s{color}
| {color:green} The patch does not generate ASF License warnings. {color} |
| {color:black}{color} | {color:black} {color} | {color:black} 73m 30s{color} | {color:black}
{color} |
\\
\\
|| Subsystem || Report/Notes ||
| Docker |  Image:yetus/hadoop:9560f25 |
| JIRA Issue | HADOOP-12082 |
| JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12833662/HADOOP-12082-003.patch
|
| Optional Tests |  asflicense  compile  javac  javadoc  mvninstall  mvnsite  unit  xml  findbugs
 checkstyle  |
| uname | Linux da202271165f 3.13.0-36-lowlatency #63-Ubuntu SMP PREEMPT Wed Sep 3 21:56:12
UTC 2014 x86_64 x86_64 x86_64 GNU/Linux |
| Build tool | maven |
| Personality | /testptch/hadoop/patchprocess/precommit/personality/provided.sh |
| git revision | trunk / 1f304b0 |
| Default Java | 1.8.0_101 |
| findbugs | v3.0.0 |
| checkstyle | https://builds.apache.org/job/PreCommit-HADOOP-Build/10808/artifact/patchprocess/diff-checkstyle-root.txt
|
| mvnsite | https://builds.apache.org/job/PreCommit-HADOOP-Build/10808/artifact/patchprocess/patch-mvnsite-hadoop-common-project_hadoop-auth.txt
|
|  Test Results | https://builds.apache.org/job/PreCommit-HADOOP-Build/10808/testReport/ |
| modules | C: hadoop-project hadoop-common-project/hadoop-auth hadoop-common-project/hadoop-common
U: . |
| Console output | https://builds.apache.org/job/PreCommit-HADOOP-Build/10808/console |
| Powered by | Apache Yetus 0.4.0-SNAPSHOT   http://yetus.apache.org |


This message was automatically generated.



> Support multiple authentication schemes via AuthenticationFilter
> ----------------------------------------------------------------
>
>                 Key: HADOOP-12082
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12082
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 2.6.0
>            Reporter: Hrishikesh Gadre
>            Assignee: Hrishikesh Gadre
>         Attachments: HADOOP-12082-001.patch, HADOOP-12082-002.patch, HADOOP-12082-003.patch,
HADOOP-12082.patch, hadoop-ldap-auth-v2.patch, hadoop-ldap-auth-v3.patch, hadoop-ldap-auth-v4.patch,
hadoop-ldap-auth-v5.patch, hadoop-ldap-auth-v6.patch, hadoop-ldap.patch, multi-scheme-auth-support-poc.patch
>
>
> The requirement is to support LDAP based authentication scheme via Hadoop AuthenticationFilter.
HADOOP-9054 added a support to plug-in custom authentication scheme (in addition to Kerberos)
via AltKerberosAuthenticationHandler class. But it is based on selecting the authentication
mechanism based on User-Agent HTTP header which does not conform to HTTP protocol semantics.
> As per [RFC-2616|http://www.w3.org/Protocols/rfc2616/rfc2616.html]
> - HTTP protocol provides a simple challenge-response authentication mechanism that can
be used by a server to challenge a client request and by a client to provide the necessary
authentication information. 
> - This mechanism is initiated by server sending the 401 (Authenticate) response with
‘WWW-Authenticate’ header which includes at least one challenge that indicates the authentication
scheme(s) and parameters applicable to the Request-URI. 
> - In case server supports multiple authentication schemes, it may return multiple challenges
with a 401 (Authenticate) response, and each challenge may use a different auth-scheme. 
> - A user agent MUST choose to use the strongest auth-scheme it understands and request
credentials from the user based upon that challenge.
> The existing Hadoop authentication filter implementation supports Kerberos authentication
scheme and uses ‘Negotiate’ as the challenge as part of ‘WWW-Authenticate’ response
header. As per the following documentation, ‘Negotiate’ challenge scheme is only applicable
to Kerberos (and Windows NTLM) authentication schemes.
> [SPNEGO-based Kerberos and NTLM HTTP Authentication|http://tools.ietf.org/html/rfc4559]
> [Understanding HTTP Authentication|https://msdn.microsoft.com/en-us/library/ms789031%28v=vs.110%29.aspx]
> On the other hand for LDAP authentication, typically ‘Basic’ authentication scheme
is used (Note TLS is mandatory with Basic authentication scheme).
> http://httpd.apache.org/docs/trunk/mod/mod_authnz_ldap.html
> Hence for this feature, the idea would be to provide a custom implementation of Hadoop
AuthenticationHandler and Authenticator interfaces which would support both schemes - Kerberos
(via Negotiate auth challenge) and LDAP (via Basic auth challenge). During the authentication
phase, it would send both the challenges and let client pick the appropriate one. If client
responds with an ‘Authorization’ header tagged with ‘Negotiate’ - it will use Kerberos
authentication. If client responds with an ‘Authorization’ header tagged with ‘Basic’
- it will use LDAP authentication.
> Note - some HTTP clients (e.g. curl or Apache Http Java client) need to be configured
to use one scheme over the other e.g.
> - curl tool supports option to use either Kerberos (via --negotiate flag) or username/password
based authentication (via --basic and -u flags). 
> - Apache HttpClient library can be configured to use specific authentication scheme.
> http://hc.apache.org/httpcomponents-client-ga/tutorial/html/authentication.html
> Typically web browsers automatically choose an authentication scheme based on a notion
of “strength” of security. e.g. take a look at the [design of Chrome browser for HTTP
authentication|https://www.chromium.org/developers/design-documents/http-authentication]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message