[
https://issues.apache.org/jira/browse/HADOOP-9671?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13756397#comment-13756397
]
Kai Zheng commented on HADOOP-9671:
-----------------------------------
bq. I assume that "common token" is the one issued by the newly proposed Hadoop
Authentication Server (HAS). Do you mean that we need to replace the delegation
token and the blocks tokens with it?
Right. The “common token” mentioned in the requirement is the one issued by
HAS. As we have already discussed in HADOOP-9392, HAS token can coexist with
existing Hadoop tokens (delegation token, block token etc.) and in current
phase we do not propose to replace Hadoop existing tokens with the new one. In
the future we might consider that as an improvement and unify Hadoop existing
tokens with the fundamental infrastructures and facilities provided by HAS.
bq. What is are the "new authentication method" and the "concrete
authentication method"?
The mentioned “new authentication method” is the proposed TokenAuthn method to
be added in current Hadoop SASL/RPC framework in lieu of ‘simple’ and
‘kerberos’. This new authentication method (TokenAuthn) bridges kinds of
concrete authentication mechanisms to Hadoop for traditional IdPs and identity
back ends like SQL/JDBC, AD/LDAP, Web SSO products and etc. In this way, Hadoop
only needs to understand the TokenAuthn method, without bothering to understand
concrete authentication providers like AD/LDAP.
bq. Can you expand on this and also give an example. I got it that the token
will contain both the main principal and also the group membership based on the
discussion on other Jiras. Do you mean more than that?
By default TokenAuth framework will define some attributes to be contained in
the token, as to which attributes to put into, how about we discuss that in
HADOOP-9836 regarding token definition and API? Besides that, more attributes
can be provisioned into the token from Attribute Service by employing security
policies.
bq. Hadoop supports this today. Did want to do something different?
Yes Hadoop supports proxy today, and to stay consistent with it TokenAuth
framework and HAS implementation was introduced with plugin support for various
IdPs, to support proxy in terms of the token. Please reference the design doc
for the complete flow and description regarding it. Thanks.
> Improve Hadoop security - Use cases, Threat Model and Problems
> --------------------------------------------------------------
>
> Key: HADOOP-9671
> URL: https://issues.apache.org/jira/browse/HADOOP-9671
> Project: Hadoop Common
> Issue Type: Improvement
> Reporter: Sanjay Radia
>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
