hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brian Swan (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-9392) Token based authentication and Single Sign On
Date Wed, 10 Jul 2013 20:39:52 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-9392?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13705038#comment-13705038

Brian Swan commented on HADOOP-9392:

Hi Tianyou-

Maybe I should have listed my last comment/question first, as it was the most important to
me: One work item that fits into your design is that of adding token support to RPC endpoints.
This is a work item that would add value for customers right away while still allowing flexibility
in the rest of the design. This is something we would like to begin work on now (after consulting
Daryn Sharp, since I understand he's been doing some work in this area). However, it's not
clear to me (based on comments in the DISCUSS thread on common-dev) if you are already writing
code for this. It would be unfortunate to duplicate work here. If you have something concrete
to share, that would be great.

Regarding a client passing credentials to TAS: It seems that you are saying that a client
would not pass credentials to TAS in all scenarios. This is not reflected in the diagram.
I also am not sure what you mean by "TAS should be trusted by client for authentication".
Trusting with *credentials* violates basic security principles, which I would not see as an
improvement in Hadoop security.

IMHO, the best way to get to a common understanding of the details here is with code or with
a much more narrowly-scoped discussion (which is what I was trying to say in my point #3).
I *do* think that breaking things down into sub-tasks is a good idea - the DISCUSS thread
on common-dev that I mentioned before has a great start to this (by component).

> Token based authentication and Single Sign On
> ---------------------------------------------
>                 Key: HADOOP-9392
>                 URL: https://issues.apache.org/jira/browse/HADOOP-9392
>             Project: Hadoop Common
>          Issue Type: New Feature
>          Components: security
>            Reporter: Kai Zheng
>            Assignee: Kai Zheng
>             Fix For: 3.0.0
>         Attachments: token-based-authn-plus-sso.pdf, token-based-authn-plus-sso-v2.0.pdf
> This is an umbrella entry for one of project Rhino’s topic, for details of project
Rhino, please refer to https://github.com/intel-hadoop/project-rhino/. The major goal for
this entry as described in project Rhino was 
> “Core, HDFS, ZooKeeper, and HBase currently support Kerberos authentication at the
RPC layer, via SASL. However this does not provide valuable attributes such as group membership,
classification level, organizational identity, or support for user defined attributes. Hadoop
components must interrogate external resources for discovering these attributes and at scale
this is problematic. There is also no consistent delegation model. HDFS has a simple delegation
capability, and only Oozie can take limited advantage of it. We will implement a common token
based authentication framework to decouple internal user and service authentication from external
mechanisms used to support it (like Kerberos)”
> We’d like to start our work from Hadoop-Common and try to provide common facilities
by extending existing authentication framework which support:
> 1.	Pluggable token provider interface 
> 2.	Pluggable token verification protocol and interface
> 3.	Security mechanism to distribute secrets in cluster nodes
> 4.	Delegation model of user authentication

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

View raw message