[
https://issues.apache.org/jira/browse/HADOOP-9392?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13599649#comment-13599649
]
Thomas NGUY commented on HADOOP-9392:
-------------------------------------
Wonderful Kai !!
For starting, I'd like to ask some questions about the subject, as I have no
experience with Hadoop, some points are still unclear for me.
"Core, HDFS, ZooKeeper, and HBase currently support Kerberos authentication at
the RPC layer, via SASL. However this does not provide valuable attributes such
as group membership, classification level, organizational identity, or support
for user defined attributes. Hadoop components must interrogate external
resources for discovering these attributes and at scale this is problematic"
I've seen that the NameNode and JobTracker get informations about the user by
using its username and a pluggable interface that maps the username to a set of
groups that the user belongs. Is this method problematic at larger scale? What
do we have to do in that case? Include the user informations in the token?
"We will implement a common token based authentication framework to decouple
internal user and service authentication from external mechanisms used to
support it (like Kerberos)”
Here also, what is the problem with the token based authentification kerberos?
What does "common" token based authentification means? Is there a link with the
interactions of Hadoop components (see link
http://clustermania.blogspot.jp/2011/11/hadoop-how-it-manages-security.html) ??
These questions seem stupid but I really need to understand more about the
subject before starting ^^. Oh BTW I'm doing my master research at the NII
(National Institute of Informatic) in Tokyo, Its already late night so I might
not be able to answer the same day.
Best regards.
Thomas
> Token based authentication and Single Sign On
> ---------------------------------------------
>
> Key: HADOOP-9392
> URL: https://issues.apache.org/jira/browse/HADOOP-9392
> Project: Hadoop Common
> Issue Type: New Feature
> Components: security
> Reporter: Kai Zheng
> Fix For: 3.0.0
>
>
> This is an umbrella entry for one of project Rhino’s topic, for details of
> project Rhino, please refer to
> https://github.com/intel-hadoop/project-rhino/. The major goal for this entry
> as described in project Rhino was
>
> “Core, HDFS, ZooKeeper, and HBase currently support Kerberos authentication
> at the RPC layer, via SASL. However this does not provide valuable attributes
> such as group membership, classification level, organizational identity, or
> support for user defined attributes. Hadoop components must interrogate
> external resources for discovering these attributes and at scale this is
> problematic. There is also no consistent delegation model. HDFS has a simple
> delegation capability, and only Oozie can take limited advantage of it. We
> will implement a common token based authentication framework to decouple
> internal user and service authentication from external mechanisms used to
> support it (like Kerberos)”
>
> We’d like to start our work from Hadoop-Common and try to provide common
> facilities by extending existing authentication framework which support:
> 1. Pluggable token provider interface
> 2. Pluggable token verification protocol and interface
> 3. Security mechanism to distribute secrets in cluster nodes
> 4. Delegation model of user authentication
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
