directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <>
Subject Re: [DISCUSS] Merge HAS to Apache Kerby
Date Mon, 27 Nov 2017 10:53:44 GMT
Hi Jiajia,

It sounds like a really interesting project. Have you got any feedback from
the Hadoop project about it?

I'm finding it hard to understand exactly how it works though based on the
README. Could you describe how it works from a really basic point of view
for say a simple Hadoop client? Normally I just have to use "kinit" to get
a kerberos ticket and then I am authenticated to invoke on HDFS. How does
HAS work differently? Where does the token pre-auth stuff fit in?


On Fri, Nov 24, 2017 at 3:30 AM, Li, Jiajia <> wrote:

> Hi all,
> I would like to post a proposal about merging a new project HAS (Hadoop
> Authentication Service) to Apache Kerby. HAS is led by Intel and Alibaba,
> it is a solution to support the authentication of open source big data
> ecosystem in cloud computing platforms. I've created a new branch
> "has-project" in Kerby, HAS is under "has" folder. Please look at
> for
> details.
> Background and motivation:
> At present, the open source big data ecosystems (Hadoop/Spark) only has
> the built-in Kerberos support on the security authentication. HAS aims to
> build a standalone authentication service for the big data ecosystem that
> simplifies the support of Kerberos and allows to use more authentication
> methods.
> Targets users:
> HAS supports various authentication mechanisms other than just Kerberos,
> and it provides a new authentication mechanism can be easy customized and
> plugin with existing user authentication and authorization system, and
> security admins won't have to migrate and sync up their user accounts to
> Kerberos back and forth.
> Architecture & Design:
> HAS provides a new authentication mechanism ("Kerberos-based token
> authentication"), depending on the "TokenPreauth" provided by Apache Kerby.
> Please look at
> has/ for details.
> Features:
> 1.      Provides new authentication mechanism plugin APIs to customize and
> plugin with existing user authentication and authorization system. Please
> look at
> has/ for details.
> 2.      Provides lots of REST APIs and facility tools to simplify the
> support of Kerberos. Kerberos is essentially a protocol, or secure channel,
> doesn't have to be that complex to users. Please look at
> has/doc/ for details.
> 3.      Provides MySQL backend for High Availability. Please look at
> has/doc/ for details.
> 4.      New authentication mechanism now supports most of the components
> of open source big data ecosystem with little or no changes to components,
> including HDFS, HBase, Zookeeper, Hive, Spark.... Please look at
> for details.
> Practice
> This solution has been deployed in Alibaba Cloud E-MapReduce production.
> Why to merge?
> HAS provides a complete Hadoop/Spark authentication framework and solution
> based on Kerberos, HAS can help to upgrade Kerby KDC, make it more solid
> and stronger. And if HAS can be merged to Apache Kerby, community will help
> HAS grow faster and users can more easily using this solution in their own
> production. We have two suggestions about how to merge:
> - Option1:
> Create a standalone module "kerby-has", putting HAS project under this
> module.
> - Option2:
> Suggest replacing kerby-kdc module with HAS, upgrade the Kerby KDC.
> Contributors:
> Jiajia, Li (Intel)
> Lin, Zeng (Intel)
> Zhiqiang, Zhang (Intel)
> Kai, Zheng (Intel)
> Wei, Wu (Alibaba)
> Jun, Song (Alibaba)
> Long, Cao (Alibaba)
> Zhenyuan, Wei (Alibaba)
> Your review efforts are truly appreciated, please feel free to provide us
> your feedback.
> Regards,
> Jiajia

Colm O hEigeartaigh

Talend Community Coder

View raw message