[
https://issues.apache.org/jira/browse/HADOOP-9533?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13668355#comment-13668355
]
Daryn Sharp commented on HADOOP-9533:
-------------------------------------
As best I can tell, the general approach here is to replace the kerberos TGT
with a conceptually equivalent IDP TGT? If so, let's call it a IDP
(S)ervice(G)ranting(T)oken for a moment. The client requests a IDP-SGT and
then presents this IDP-SGT to the NN/RM/etc, in place of a kerberos TGT, to
acquire the standard tokens it does today?
bq. One concern I have with SASL or other forms of mechanism negotiation is
that the authenticity of the mechanism can be confirmed in order to avoid
downgrade attacks. Would this assume TLS or some other mechanism?
I don't believe there's any reason why SASL can't occur over SSL. At least
with DIGEST-MD5, I don't believe SSL is strictly necessary since it's designed
to avoid man-in-the-middle attacks. The server doesn't have direct access to
the user supplied password. SASL does provide the ability to go into an
encrypted mode (ex. SSL) post-authentication. Hadoop appears to support this
but I'm not sure how well tested it is.
What is the scenario you envision for downgrade attacks? A server requests
LDAP so it can acquire the user's password? I suppose this is where a IDP-SGT
would come in handy, but I'm unclear (maybe I missed it in the doc) how a
PKI-based SGT addresses this issue. How does is the SGT verified by a service,
like the NN, such that it can't capture and reuse the SGT?
> Centralized Hadoop SSO/Token Server
> -----------------------------------
>
> Key: HADOOP-9533
> URL: https://issues.apache.org/jira/browse/HADOOP-9533
> Project: Hadoop Common
> Issue Type: New Feature
> Components: security
> Reporter: Larry McCay
> Attachments: HSSO-Interaction-Overview-rev-1.docx,
> HSSO-Interaction-Overview-rev-1.pdf
>
>
> This is an umbrella Jira filing to oversee a set of proposals for introducing
> a new master service for Hadoop Single Sign On (HSSO).
> There is an increasing need for pluggable authentication providers that
> authenticate both users and services as well as validate tokens in order to
> federate identities authenticated by trusted IDPs. These IDPs may be deployed
> within the enterprise or third-party IDPs that are external to the enterprise.
> These needs speak to a specific pain point: which is a narrow integration
> path into the enterprise identity infrastructure. Kerberos is a fine solution
> for those that already have it in place or are willing to adopt its use but
> there remains a class of user that finds this unacceptable and needs to
> integrate with a wider variety of identity management solutions.
> Another specific pain point is that of rolling and distributing keys. A
> related and integral part of the HSSO server is library called the Credential
> Management Framework (CMF), which will be a common library for easing the
> management of secrets, keys and credentials.
> Initially, the existing delegation, block access and job tokens will continue
> to be utilized. There may be some changes required to leverage a PKI based
> signature facility rather than shared secrets. This is a means to simplify
> the solution for the pain point of distributing shared secrets.
> This project will primarily centralize the responsibility of authentication
> and federation into a single service that is trusted across the Hadoop
> cluster and optionally across multiple clusters. This greatly simplifies a
> number of things in the Hadoop ecosystem:
> 1. a single token format that is used across all of Hadoop regardless of
> authentication method
> 2. a single service to have pluggable providers instead of all services
> 3. a single token authority that would be trusted across the cluster/s and
> through PKI encryption be able to easily issue cryptographically verifiable
> tokens
> 4. automatic rolling of the token authority’s keys and publishing of the
> public key for easy access by those parties that need to verify incoming
> tokens
> 5. use of PKI for signatures eliminates the need for securely sharing and
> distributing shared secrets
> In addition to serving as the internal Hadoop SSO service this service will
> be leveraged by the Knox Gateway from the cluster perimeter in order to
> acquire the Hadoop cluster tokens. The same token mechanism that is used for
> internal services will be used to represent user identities. Providing for
> interesting scenarios such as SSO across Hadoop clusters within an enterprise
> and/or into the cloud.
> The HSSO service will be comprised of three major components and capabilities:
> 1. Federating IDP – authenticates users/services and issues the common
> Hadoop token
> 2. Federating SP – validates the token of trusted external IDPs and issues
> the common Hadoop token
> 3. Token Authority – management of the common Hadoop tokens – including:
> a. Issuance
> b. Renewal
> c. Revocation
> As this is a meta Jira for tracking this overall effort, the details of the
> individual efforts will be submitted along with the child Jira filings.
> Hadoop-Common would seem to be the most appropriate home for such a service
> and its related common facilities. We will also leverage and extend existing
> common mechanisms as appropriate.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
