[
https://issues.apache.org/jira/browse/HADOOP-9392?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13611420#comment-13611420
]
Kai Zheng commented on HADOOP-9392:
-----------------------------------
Hi Daryn,
Thanks for letting know your work. I did some investigation about recent
community work regarding Hadoop security and authentication, in JIRA
HADOOP-8779 with its subtasks and related JIRAs. Most of the JIRAs were already
closed. It’s great work and I can see Hadoop security related codes are more
clean now. For the work you’re decoupling Kerberos as being the only auth
method for Hadoop, in which JIRA if you had one? If you haven’t such a JIRA or
design document for me to understand so that we can avoid to collide, would you
please explain about it? Particularly I have these questions as below.
1. Just checked the recent codes. In UserGroupInformation.java, it has SIMPLE,
KERBEROS,TOKEN,CERTIFICATE,KERBEROS_SSL, PROXY as authentication methods, and
most of them were newly added comparing with Hadoop 1.x version. Does this
indicate that more authentication methods will/can be supported as these ones?
Are these methods used or intended to be used for internal or external
authentication? If it’s appropriate to mention “internal”/”external” here,
which methods are for internal, and which are for external? How to avoid bad
usage of them for clients for example internal one is used for external
situation? In my understanding TOKEN(DIGEST) can be used both externally but
I’m not sure there’re such an application, and internally for example when
delegation token or job token is involved. Right?
2. In Rhino project we’re coming up a common token for Hadoop authenticating to
external identity system, which allows various existing authentication
mechanisms can be used while Hadoop security core part doesn’t have to
understand them since it only needs to talk to the common token. What do you
think about this? Does this conflict with your work?
Thanks for your time.
Regards,
Kai
> Token based authentication and Single Sign On
> ---------------------------------------------
>
> Key: HADOOP-9392
> URL: https://issues.apache.org/jira/browse/HADOOP-9392
> Project: Hadoop Common
> Issue Type: New Feature
> Components: security
> Reporter: Kai Zheng
> Fix For: 3.0.0
>
>
> This is an umbrella entry for one of project Rhino’s topic, for details of
> project Rhino, please refer to
> https://github.com/intel-hadoop/project-rhino/. The major goal for this entry
> as described in project Rhino was
>
> “Core, HDFS, ZooKeeper, and HBase currently support Kerberos authentication
> at the RPC layer, via SASL. However this does not provide valuable attributes
> such as group membership, classification level, organizational identity, or
> support for user defined attributes. Hadoop components must interrogate
> external resources for discovering these attributes and at scale this is
> problematic. There is also no consistent delegation model. HDFS has a simple
> delegation capability, and only Oozie can take limited advantage of it. We
> will implement a common token based authentication framework to decouple
> internal user and service authentication from external mechanisms used to
> support it (like Kerberos)”
>
> We’d like to start our work from Hadoop-Common and try to provide common
> facilities by extending existing authentication framework which support:
> 1. Pluggable token provider interface
> 2. Pluggable token verification protocol and interface
> 3. Security mechanism to distribute secrets in cluster nodes
> 4. Delegation model of user authentication
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
