hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Larry McCay (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-10959) A Complement and Short Term Solution to TokenAuth Based on Kerberos Pre-Authentication Framework
Date Tue, 12 Aug 2014 17:53:12 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-10959?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14094390#comment-14094390

Larry McCay commented on HADOOP-10959:

There is some interesting work here.

What I need to think about or we need to discuss is exactly who has the problem that this
solution solves.

I think that it is very interesting that this may end up making its way into MIT kerberos
Not sure how likely it would make it into AD though - so this will end up being a feature
that requires MIT kerberos even in MS shops.

So - if we look at the pains of the current authentication with kerberos approach which ones
are actually solved by this solution:

* Kerberos/KDC setup - NO - in fact it is more complicated (maybe tooling can help)
* user accounts - NO - still needed
* keytabs - not really - replaced by JWT tokens (assuming that this is intended for services
as well as users)
* kinit - NO - still required but will present JWT instead of username/token
* SPNEGO - NO - still required for REST APIs and browsers(?)
* narrow integration opportunities - YES - there are number of solutions that can issue or
exchange other tokens for JWT tokens - including Microsoft's

Can multiple kerberos plugins be used at once - which would allow for a mixed deployment of
kerberos and JWT?

> A Complement and Short Term Solution to TokenAuth Based on Kerberos Pre-Authentication
> ------------------------------------------------------------------------------------------------
>                 Key: HADOOP-10959
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10959
>             Project: Hadoop Common
>          Issue Type: New Feature
>          Components: security
>            Reporter: Kai Zheng
>            Assignee: Kai Zheng
>              Labels: Rhino
>         Attachments: KerbToken-v2.pdf
> To implement and integrate pluggable authentication providers, enhance desirable single
sign on for end users, and help enforce centralized access control on the platform, the community
has widely discussed and concluded token based authentication could be the appropriate approach.
TokenAuth (HADOOP-9392) was proposed and is under development to implement another Authentication
Method in lieu with Simple and Kerberos. It is a big and long term effort to support TokenAuth
across the entire ecosystem. We here propose a short term replacement based on Kerberos that
can complement to TokenAuth. Our solution involves less codes changes with limited risk and
the main development work has already been done in our POC. Users can use our solution as
a short term solution to support token inside Hadoop.
> This effort and resultant solution will be fully described in the design document to
be attached. And the brief introduction will be commented.

This message was sent by Atlassian JIRA

View raw message