hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kai Zheng (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-9671) Improve Hadoop security - Use cases
Date Wed, 03 Jul 2013 15:10:22 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-9671?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13699063#comment-13699063
] 

Kai Zheng commented on HADOOP-9671:
-----------------------------------

=== From TokenAuth ===

Use cases
1. Users can authenticate using their own domain specific identity and receive an opaque token;
this token and its derived tokens are then passed through transparently to all Hadoop services
as needed, for RPC or web interface interactions
2. Service implementers have a common library for validating, authorizing and auditing the
provided identity and its attributes
3. Administrators can introduce new authentication mechanisms, by way of pluggable connectors
against identity backend providers
4. Users can authenticate in one cluster and access another cluster in a federation without
reauthentication
5. Current Hadoop deployments can continue to use existing authentication methods in a backwards
compatible way

Requirements
1. Pluggable authentication modules; concrete authentication mechanism and modules are selectable
via configuration and user interactions, client attributes and capabilities
2. A provider interface and API for integrating Hadoop authentication with existing identity
providers deployed in the wider organization
3. Domain based authentication model: different authentication mechanisms, or those with different
configurations, according to different context, can be used for different user domains
4. Build on current Hadoop SASL authentication framework with a new authentication method,
and support RPC
5. Backwards compatibility with today’s authentication methods and deployment
6. A common token format with variable identity attributes to support fine-grained access
control
7. Also support Web browser SSO for Hadoop web interfaces and REST access for Hadoop services
in REST API
8. Support proxy authentication: one Hadoop service can proxy authenticated client user to
access other Hadoop service in a constrained way
9. Client authentication integration: support to integrate client authentication mechanisms
like desktop Active Directory, Smart card and etc.
10. Token authority (issuer) supports REST interface, optional RPC interface and web browser
flow.

Constraints
1. Hadoop should only need to understand the common token and the new authentication method
instead of concrete authentication mechanism
2. Add new authentication framework and API as an alternative to the existing API, for backwards
compatibility and to avoid impact to ecosystem projects
3. The new framework and API will be used to re-implement existing authentication methods
so an internal migration can happen without external impact
4. The token based authentication and framework should be able to avoid the common threats
regarding bearer tokens

                
> Improve Hadoop security - Use cases
> -----------------------------------
>
>                 Key: HADOOP-9671
>                 URL: https://issues.apache.org/jira/browse/HADOOP-9671
>             Project: Hadoop Common
>          Issue Type: Improvement
>            Reporter: Sanjay Radia
>


--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message