[ 
https://issues.apache.org/jira/browse/HADOOP-9392?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13706149#comment-13706149
 ] 

Daryn Sharp commented on HADOOP-9392:
-------------------------------------

I'm still digesting the doc, but it's unclear to me if a client in this 
architecture will be able to simultaneously access both SSO clusters and 
non-SSO (ex. kerberos) clusters?  A large scale deployment such as Yahoo will 
never adopt a new security framework if a staged migration will break 
cross-cluster access.

I'm a bit concerned about wanting to migrate the existing auth methods into a 
new framework.  I'd prefer to see us try to plugin new auth methods to Java via 
javax service providers for SASL & http & JAAS.  The more code we wrap around 
these standard facilities, the greater the chance that a security flaw will 
sneak in.

I'm working on a doc to detail how I would envision SSO integrating in a manner 
that avoids these concerns.
                
> Token based authentication and Single Sign On
> ---------------------------------------------
>
>                 Key: HADOOP-9392
>                 URL: https://issues.apache.org/jira/browse/HADOOP-9392
>             Project: Hadoop Common
>          Issue Type: New Feature
>          Components: security
>            Reporter: Kai Zheng
>            Assignee: Kai Zheng
>             Fix For: 3.0.0
>
>         Attachments: token-based-authn-plus-sso.pdf, 
> token-based-authn-plus-sso-v2.0.pdf
>
>
> This is an umbrella entry for one of project Rhino’s topic, for details of 
> project Rhino, please refer to 
> https://github.com/intel-hadoop/project-rhino/. The major goal for this entry 
> as described in project Rhino was 
>  
> “Core, HDFS, ZooKeeper, and HBase currently support Kerberos authentication 
> at the RPC layer, via SASL. However this does not provide valuable attributes 
> such as group membership, classification level, organizational identity, or 
> support for user defined attributes. Hadoop components must interrogate 
> external resources for discovering these attributes and at scale this is 
> problematic. There is also no consistent delegation model. HDFS has a simple 
> delegation capability, and only Oozie can take limited advantage of it. We 
> will implement a common token based authentication framework to decouple 
> internal user and service authentication from external mechanisms used to 
> support it (like Kerberos)”
>  
> We’d like to start our work from Hadoop-Common and try to provide common 
> facilities by extending existing authentication framework which support:
> 1.    Pluggable token provider interface 
> 2.    Pluggable token verification protocol and interface
> 3.    Security mechanism to distribute secrets in cluster nodes
> 4.    Delegation model of user authentication

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to