[
https://issues.apache.org/jira/browse/HADOOP-9392?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13707194#comment-13707194
]
Sanjay Radia commented on HADOOP-9392:
--------------------------------------
This document helps clarify the proposal. Thanks. I would like to improve
terminology confusion in two area: the terms *token* and *Token authentication
service".
* Hadoop already has tokens used for authentication. Discussions in this jira
clarified that the hadoop tokens were general and not limited to hdfs as was
originally mentioned in this Jira.
* Further all authentication solutions use tokens/tickets and "token-based" is
not the distinguishing characteristic of this solution. Indeed its
distinguishing characteristics is a different model for pluggability.
Hence I would like to propose to change the name of TAS and also add a suffix
or prefix to the new tokens to avoid confusion with the Hadoop tokens. The TAS
is really a federated authentication service, where each TAS is centralized. So
how about calling it an Hadoop Authentication service HAS. Or perhaps a
Pluggable Authentication Service - PAS (or HPAS?). Indeed pluggability is its
distinguishing characteristics - you don't have to plugin on the RPC layer but
in this service. As for the name of the new tokens: PAS-tokens or HAS-tokens
depending on whether the service is called HAS or PAS.
> Token based authentication and Single Sign On
> ---------------------------------------------
>
> Key: HADOOP-9392
> URL: https://issues.apache.org/jira/browse/HADOOP-9392
> Project: Hadoop Common
> Issue Type: New Feature
> Components: security
> Reporter: Kai Zheng
> Assignee: Kai Zheng
> Fix For: 3.0.0
>
> Attachments: token-based-authn-plus-sso.pdf,
> token-based-authn-plus-sso-v2.0.pdf
>
>
> This is an umbrella entry for one of project Rhino’s topic, for details of
> project Rhino, please refer to
> https://github.com/intel-hadoop/project-rhino/. The major goal for this entry
> as described in project Rhino was
>
> “Core, HDFS, ZooKeeper, and HBase currently support Kerberos authentication
> at the RPC layer, via SASL. However this does not provide valuable attributes
> such as group membership, classification level, organizational identity, or
> support for user defined attributes. Hadoop components must interrogate
> external resources for discovering these attributes and at scale this is
> problematic. There is also no consistent delegation model. HDFS has a simple
> delegation capability, and only Oozie can take limited advantage of it. We
> will implement a common token based authentication framework to decouple
> internal user and service authentication from external mechanisms used to
> support it (like Kerberos)”
>
> We’d like to start our work from Hadoop-Common and try to provide common
> facilities by extending existing authentication framework which support:
> 1. Pluggable token provider interface
> 2. Pluggable token verification protocol and interface
> 3. Security mechanism to distribute secrets in cluster nodes
> 4. Delegation model of user authentication
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
