[
https://issues.apache.org/jira/browse/HADOOP-10959?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14094390#comment-14094390
]
Larry McCay commented on HADOOP-10959:
--------------------------------------
There is some interesting work here.
What I need to think about or we need to discuss is exactly who has the problem
that this solution solves.
I think that it is very interesting that this may end up making its way into
MIT kerberos itself.
Not sure how likely it would make it into AD though - so this will end up being
a feature that requires MIT kerberos even in MS shops.
So - if we look at the pains of the current authentication with kerberos
approach which ones are actually solved by this solution:
* Kerberos/KDC setup - NO - in fact it is more complicated (maybe tooling can
help)
* user accounts - NO - still needed
* keytabs - not really - replaced by JWT tokens (assuming that this is intended
for services as well as users)
* kinit - NO - still required but will present JWT instead of username/token
* SPNEGO - NO - still required for REST APIs and browsers(?)
* narrow integration opportunities - YES - there are number of solutions that
can issue or exchange other tokens for JWT tokens - including Microsoft's
Can multiple kerberos plugins be used at once - which would allow for a mixed
deployment of kerberos and JWT?
> A Complement and Short Term Solution to TokenAuth Based on Kerberos
> Pre-Authentication Framework
> ------------------------------------------------------------------------------------------------
>
> Key: HADOOP-10959
> URL: https://issues.apache.org/jira/browse/HADOOP-10959
> Project: Hadoop Common
> Issue Type: New Feature
> Components: security
> Reporter: Kai Zheng
> Assignee: Kai Zheng
> Labels: Rhino
> Attachments: KerbToken-v2.pdf
>
>
> To implement and integrate pluggable authentication providers, enhance
> desirable single sign on for end users, and help enforce centralized access
> control on the platform, the community has widely discussed and concluded
> token based authentication could be the appropriate approach. TokenAuth
> (HADOOP-9392) was proposed and is under development to implement another
> Authentication Method in lieu with Simple and Kerberos. It is a big and long
> term effort to support TokenAuth across the entire ecosystem. We here propose
> a short term replacement based on Kerberos that can complement to TokenAuth.
> Our solution involves less codes changes with limited risk and the main
> development work has already been done in our POC. Users can use our solution
> as a short term solution to support token inside Hadoop.
> This effort and resultant solution will be fully described in the design
> document to be attached. And the brief introduction will be commented.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
