hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kai Zheng (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-10959) A Complement and Short Term Solution to TokenAuth Based on Kerberos Pre-Authentication Framework
Date Wed, 13 Aug 2014 02:26:12 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-10959?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14095056#comment-14095056

Kai Zheng commented on HADOOP-10959:

bq. we need to discuss is exactly who has the problem that this solution solves.
I quite agree. This desires to enhance Hadoop Kerberos authentication by token-preauth mechanism
for Kerberos itself and allow to integrate other authentication providers for clusters that
require Kerberos as a must essentially or have already deployed Kerberos previously. Do such
scenarios make sense? I'd love to discuss and clarify this further with more feedback.

bq. I think that it is very interesting that this may end up making its way into MIT kerberos
We're collaborating with MIT team on drafting the token-preauth mechanism and then implementing
it based on the prototype. Hopefully we can make it in not so long future but before that
we can public the plugin implementation codes for review and binary for experimental usage.

bq. Not sure how likely it would make it into AD though - so this will end up being a feature
that requires MIT kerberos even in MS shops.
A cluster can have a MIT Kerberos deployment with this token support serving as an authentication
hub with internal usage, then AD can be supported by Kerberos cross-realm trusting setup and
also other authentication providers can be supported by a token authentication service that
supports JWT token. *Owning to this, OAuth 2.0 token work flow would be possible for the ecosystem.*

bq. we look at the pains of the current authentication with kerberos approach which ones are
actually solved by this solution
No. This effort doesn't attempt to resolve all the pains of Kerberos, as TokenAuth (HADOOP-9392)
desires to. This focuses on providing the token support assuming Kerberos deployment. That
means, if you accept Kerberos and like its both strengths and drawbacks for your cluster,
then this solution provides you more integration options by employing the token support for
your end users' sake.

Right we do wish and also are making effort to simplify the Kerberos deployment for Hadoop,
which we would think it makes sense for the long term. It's another story though.

bq. keytabs - not really - replaced by JWT tokens (assuming that this is intended for services
as well as users)
It's not a problem to use token to authenticate service, but it doesn't help for the service
to authenticate clients because that requires Kerberos keys which must be provided by keytabs.
However, the pain to deploy keytabs for services can be alleviated by token support, still,
another story.

bq.  SPNEGO - NO - still required for REST APIs and browsers
It's not true for browsers. Browsers can be input with token by flow (like OAuth web work
flow) or user form, and submit the token to server side. In server side it does SPNEGO for
compatibility with non-token accesses.

bq. Can multiple kerberos plugins be used at once - which would allow for a mixed deployment
of kerberos and JWT?
Right. Kerberos support multiple preauthentication mechanisms and MIT KDC supports multiple
plugins. You reminded me that I can provide a typical deployment with this token support.
Will update the design doc later. Thanks.

> A Complement and Short Term Solution to TokenAuth Based on Kerberos Pre-Authentication
> ------------------------------------------------------------------------------------------------
>                 Key: HADOOP-10959
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10959
>             Project: Hadoop Common
>          Issue Type: New Feature
>          Components: security
>            Reporter: Kai Zheng
>            Assignee: Kai Zheng
>              Labels: Rhino
>         Attachments: KerbToken-v2.pdf
> To implement and integrate pluggable authentication providers, enhance desirable single
sign on for end users, and help enforce centralized access control on the platform, the community
has widely discussed and concluded token based authentication could be the appropriate approach.
TokenAuth (HADOOP-9392) was proposed and is under development to implement another Authentication
Method in lieu with Simple and Kerberos. It is a big and long term effort to support TokenAuth
across the entire ecosystem. We here propose a short term replacement based on Kerberos that
can complement to TokenAuth. Our solution involves less codes changes with limited risk and
the main development work has already been done in our POC. Users can use our solution as
a short term solution to support token inside Hadoop.
> This effort and resultant solution will be fully described in the design document to
be attached. And the brief introduction will be commented.

This message was sent by Atlassian JIRA

View raw message