[ 
https://issues.apache.org/jira/browse/HADOOP-9392?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13699737#comment-13699737
 ] 

Kai Zheng commented on HADOOP-9392:
-----------------------------------

Sure thing Larry. A lot of these updates predate last week’s discussion at the 
summit. Fortunately the discussion at the summit was in line with our thinking 
on the required revisions from discussing with others in the community prior to 
the summit.

The DISCUSS thread on common-dev is great for some approach discussions, thank 
you starting that. For the design discussions and implementation feedback, in 
keeping with how it’s done on most JIRAs in Apache, let's keep it focused on 
the JIRA. That way they are all in one place for everyone to read on the JIRA 
itself and folks don’t have to hunt around for emails later.

I am looking forward to comments from everyone in the community. Request the 
community review this design rev and provide their comments on the JIRA. Thanks 
in advance.
                
> Token based authentication and Single Sign On
> ---------------------------------------------
>
>                 Key: HADOOP-9392
>                 URL: https://issues.apache.org/jira/browse/HADOOP-9392
>             Project: Hadoop Common
>          Issue Type: New Feature
>          Components: security
>            Reporter: Kai Zheng
>            Assignee: Kai Zheng
>             Fix For: 3.0.0
>
>         Attachments: token-based-authn-plus-sso.pdf, 
> token-based-authn-plus-sso-v2.0.pdf
>
>
> This is an umbrella entry for one of project Rhino’s topic, for details of 
> project Rhino, please refer to 
> https://github.com/intel-hadoop/project-rhino/. The major goal for this entry 
> as described in project Rhino was 
>  
> “Core, HDFS, ZooKeeper, and HBase currently support Kerberos authentication 
> at the RPC layer, via SASL. However this does not provide valuable attributes 
> such as group membership, classification level, organizational identity, or 
> support for user defined attributes. Hadoop components must interrogate 
> external resources for discovering these attributes and at scale this is 
> problematic. There is also no consistent delegation model. HDFS has a simple 
> delegation capability, and only Oozie can take limited advantage of it. We 
> will implement a common token based authentication framework to decouple 
> internal user and service authentication from external mechanisms used to 
> support it (like Kerberos)”
>  
> We’d like to start our work from Hadoop-Common and try to provide common 
> facilities by extending existing authentication framework which support:
> 1.    Pluggable token provider interface 
> 2.    Pluggable token verification protocol and interface
> 3.    Security mechanism to distribute secrets in cluster nodes
> 4.    Delegation model of user authentication

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to