Mailing-List: contact common-issues-help@hadoop.apache.org; run by ezmlm
Precedence: bulk
Date: Mon, 17 Oct 2016 22:37:58 +0000 (UTC)
From: "Hrishikesh Gadre (JIRA)" <jira@apache.org>
To: common-issues@hadoop.apache.org
Message-ID: <JIRA.12836904.1433958946000.10428.1476743878790@Atlassian.JIRA>
In-Reply-To: <JIRA.12836904.1433958946000@Atlassian.JIRA>
References: <JIRA.12836904.1433958946000@Atlassian.JIRA> <JIRA.12836904.1433958946572@arcas>
Subject: [jira] [Commented] (HADOOP-12082) Support multiple authentication
 schemes via AuthenticationFilter
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
archived-at: Mon, 17 Oct 2016 22:38:00 -0000


    [ https://issues.apache.org/jira/browse/HADOOP-12082?page=3Dcom.atlassi=
an.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=3D15=
583722#comment-15583722 ]=20

Hrishikesh Gadre commented on HADOOP-12082:
-------------------------------------------

[~benoyantony] The patch is looking good now. Can you please take a look?

> Support multiple authentication schemes via AuthenticationFilter
> ----------------------------------------------------------------
>
>                 Key: HADOOP-12082
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12082
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 2.6.0
>            Reporter: Hrishikesh Gadre
>            Assignee: Hrishikesh Gadre
>         Attachments: HADOOP-12082-001.patch, HADOOP-12082-002.patch, HADO=
OP-12082-003.patch, HADOOP-12082-004.patch, HADOOP-12082-005.patch, HADOOP-=
12082-006.patch, HADOOP-12082.patch, hadoop-ldap-auth-v2.patch, hadoop-ldap=
-auth-v3.patch, hadoop-ldap-auth-v4.patch, hadoop-ldap-auth-v5.patch, hadoo=
p-ldap-auth-v6.patch, hadoop-ldap.patch, multi-scheme-auth-support-poc.patc=
h
>
>
> The requirement is to support LDAP based authentication scheme via Hadoop=
 AuthenticationFilter. HADOOP-9054 added a support to plug-in custom authen=
tication scheme (in addition to Kerberos) via AltKerberosAuthenticationHand=
ler class. But it is based on selecting the authentication mechanism based =
on User-Agent HTTP header which does not conform to HTTP protocol semantics=
.
> As per [RFC-2616|http://www.w3.org/Protocols/rfc2616/rfc2616.html]
> - HTTP protocol provides a simple challenge-response authentication mecha=
nism that can be used by a server to challenge a client request and by a cl=
ient to provide the necessary authentication information.=20
> - This mechanism is initiated by server sending the 401 (Authenticate) re=
sponse with =E2=80=98WWW-Authenticate=E2=80=99 header which includes at lea=
st one challenge that indicates the authentication scheme(s) and parameters=
 applicable to the Request-URI.=20
> - In case server supports multiple authentication schemes, it may return =
multiple challenges with a 401 (Authenticate) response, and each challenge =
may use a different auth-scheme.=20
> - A user agent MUST choose to use the strongest auth-scheme it understand=
s and request credentials from the user based upon that challenge.
> The existing Hadoop authentication filter implementation supports Kerbero=
s authentication scheme and uses =E2=80=98Negotiate=E2=80=99 as the challen=
ge as part of =E2=80=98WWW-Authenticate=E2=80=99 response header. As per th=
e following documentation, =E2=80=98Negotiate=E2=80=99 challenge scheme is =
only applicable to Kerberos (and Windows NTLM) authentication schemes.
> [SPNEGO-based Kerberos and NTLM HTTP Authentication|http://tools.ietf.org=
/html/rfc4559]
> [Understanding HTTP Authentication|https://msdn.microsoft.com/en-us/libra=
ry/ms789031%28v=3Dvs.110%29.aspx]
> On the other hand for LDAP authentication, typically =E2=80=98Basic=E2=80=
=99 authentication scheme is used (Note TLS is mandatory with Basic authent=
ication scheme).
> http://httpd.apache.org/docs/trunk/mod/mod_authnz_ldap.html
> Hence for this feature, the idea would be to provide a custom implementat=
ion of Hadoop AuthenticationHandler and Authenticator interfaces which woul=
d support both schemes - Kerberos (via Negotiate auth challenge) and LDAP (=
via Basic auth challenge). During the authentication phase, it would send b=
oth the challenges and let client pick the appropriate one. If client respo=
nds with an =E2=80=98Authorization=E2=80=99 header tagged with =E2=80=98Neg=
otiate=E2=80=99 - it will use Kerberos authentication. If client responds w=
ith an =E2=80=98Authorization=E2=80=99 header tagged with =E2=80=98Basic=E2=
=80=99 - it will use LDAP authentication.
> Note - some HTTP clients (e.g. curl or Apache Http Java client) need to b=
e configured to use one scheme over the other e.g.
> - curl tool supports option to use either Kerberos (via --negotiate flag)=
 or username/password based authentication (via --basic and -u flags).=20
> - Apache HttpClient library can be configured to use specific authenticat=
ion scheme.
> http://hc.apache.org/httpcomponents-client-ga/tutorial/html/authenticatio=
n.html
> Typically web browsers automatically choose an authentication scheme base=
d on a notion of =E2=80=9Cstrength=E2=80=9D of security. e.g. take a look a=
t the [design of Chrome browser for HTTP authentication|https://www.chromiu=
m.org/developers/design-documents/http-authentication]


--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org