Kan Zhang created HADOOP-8758:
---------------------------------
Summary: Support for pluggable token implementations
Key: HADOOP-8758
URL: https://issues.apache.org/jira/browse/HADOOP-8758
Project: Hadoop Common
Issue Type: Improvement
Components: ipc, security
Reporter: Kan Zhang
Assignee: Kan Zhang
Variants of the delegation token mechanism have been employed by different
Hadoop services (NN, JT, RM, etc) to re-authenticate a previously
Kerberos-authenticated client. While existing delegation token mechanism
compliments Kerberos well, it doesn't necessarily have to be coupled with
Kerberos. In principle, delegation tokens can be coupled with any
authentication mechanism that bootstraps security. In particular, it can be
coupled with other token implementations that use the same DIGEST-MD5 auth
method. For example, a token can be pre-generated in an out-of-band manner and
configured as a shared secret key between NN and JT to allow JT to make initial
authentication to NN. This simple example doesn't deal with token renewal etc,
but it helps to illustrate the point that if we can support multiple pluggable
token implementations, it opens up the possibility for different users to plug
in the token implementation of their choice to bootstrap security. Such token
based mechanism has advantages over Kerberos in that 1) it doesn't require
Kerberos infrastructure, 2) it leverages existing SASL DIGEST-MD5 auth method
and doesn't require adding a new RPC auth method.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
