[
https://issues.apache.org/jira/browse/HADOOP-9926?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13757793#comment-13757793
]
Kai Zheng commented on HADOOP-9926:
-----------------------------------
bq.Is there any reason why we don't just require implementing a JAAS
LoginModule for anybody wanting a diff authentication?
The implementation still focuses on JAAS approach by providing convenient
facilities and manageability for JAAS configuration. It's encouraged to use the
JAAS option, though not obligated. The change defines common interface and
makes it's possible to also take a non-JAAS approach to abstraction. I was
thinking it makes sense to introduce this abstraction for the long term with
minimized overhead while we are in there doing related work.
bq.for Kerberos the only thing we would need to do is to provide preconfigured
'javax.security.auth.login.Configuration' implementations (which we already
have) and the mechanism for loading them based on the desired authentication.
Please help clarify this. There is already the needed JAAS configurations for
Kerberos authn preconfigured through code by loading necessary options like
keytab and principal from configuration file. The change here doesn't change
that in any way and won't affect existing deployment. This makes existing login
implementations modular and separate from UGI class, and makes it possible to
plugin new authentication support without having to change UGI class again.
> Authentication specific login implementation in separate class from UGI
> -----------------------------------------------------------------------
>
> Key: HADOOP-9926
> URL: https://issues.apache.org/jira/browse/HADOOP-9926
> Project: Hadoop Common
> Issue Type: Improvement
> Reporter: Kai Zheng
> Assignee: Kai Zheng
>
> As discussed in HADOOP-9797, we would improve UGI class in incremental
> patches. This issue covers the following in the patch that will be attached
> for this issue:
>
> * HadoopLogin is an interface, and AbstractHadoopLogin is the abstract
> implementation for it, to define the API and common implementation for
> various login mechanisms, not just for JAAS based.
> * Login implementation details, are removed from UGI and wrapped in concrete
> HadoopLogin implementations like SimpleAuthnLogin, UserKerberosLogin and
> KeytabKerberosLogin, which will be simply employed by appropriate UGI login
> related methods to do the login work.
> * The login result can be returned via getSubject() for now from the
> HadoopLogin interface, and UGI can call it to get the result. The result is
> then wrapped in a UGI object.
> * For Kerberos part, we might cover it in another JIRA since the change is
> big.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
