[
https://issues.apache.org/jira/browse/HADOOP-10959?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14095056#comment-14095056
]
Kai Zheng commented on HADOOP-10959:
------------------------------------
bq. we need to discuss is exactly who has the problem that this solution solves.
I quite agree. This desires to enhance Hadoop Kerberos authentication by
token-preauth mechanism for Kerberos itself and allow to integrate other
authentication providers for clusters that require Kerberos as a must
essentially or have already deployed Kerberos previously. Do such scenarios
make sense? I'd love to discuss and clarify this further with more feedback.
bq. I think that it is very interesting that this may end up making its way
into MIT kerberos itself.
We're collaborating with MIT team on drafting the token-preauth mechanism and
then implementing it based on the prototype. Hopefully we can make it in not so
long future but before that we can public the plugin implementation codes for
review and binary for experimental usage.
bq. Not sure how likely it would make it into AD though - so this will end up
being a feature that requires MIT kerberos even in MS shops.
A cluster can have a MIT Kerberos deployment with this token support serving as
an authentication hub with internal usage, then AD can be supported by Kerberos
cross-realm trusting setup and also other authentication providers can be
supported by a token authentication service that supports JWT token. *Owning to
this, OAuth 2.0 token work flow would be possible for the ecosystem.*
bq. we look at the pains of the current authentication with kerberos approach
which ones are actually solved by this solution
No. This effort doesn't attempt to resolve all the pains of Kerberos, as
TokenAuth (HADOOP-9392) desires to. This focuses on providing the token support
assuming Kerberos deployment. That means, if you accept Kerberos and like its
both strengths and drawbacks for your cluster, then this solution provides you
more integration options by employing the token support for your end users'
sake.
Right we do wish and also are making effort to simplify the Kerberos deployment
for Hadoop, which we would think it makes sense for the long term. It's another
story though.
bq. keytabs - not really - replaced by JWT tokens (assuming that this is
intended for services as well as users)
It's not a problem to use token to authenticate service, but it doesn't help
for the service to authenticate clients because that requires Kerberos keys
which must be provided by keytabs. However, the pain to deploy keytabs for
services can be alleviated by token support, still, another story.
bq. SPNEGO - NO - still required for REST APIs and browsers
It's not true for browsers. Browsers can be input with token by flow (like
OAuth web work flow) or user form, and submit the token to server side. In
server side it does SPNEGO for compatibility with non-token accesses.
bq. Can multiple kerberos plugins be used at once - which would allow for a
mixed deployment of kerberos and JWT?
Right. Kerberos support multiple preauthentication mechanisms and MIT KDC
supports multiple plugins. You reminded me that I can provide a typical
deployment with this token support. Will update the design doc later. Thanks.
> A Complement and Short Term Solution to TokenAuth Based on Kerberos
> Pre-Authentication Framework
> ------------------------------------------------------------------------------------------------
>
> Key: HADOOP-10959
> URL: https://issues.apache.org/jira/browse/HADOOP-10959
> Project: Hadoop Common
> Issue Type: New Feature
> Components: security
> Reporter: Kai Zheng
> Assignee: Kai Zheng
> Labels: Rhino
> Attachments: KerbToken-v2.pdf
>
>
> To implement and integrate pluggable authentication providers, enhance
> desirable single sign on for end users, and help enforce centralized access
> control on the platform, the community has widely discussed and concluded
> token based authentication could be the appropriate approach. TokenAuth
> (HADOOP-9392) was proposed and is under development to implement another
> Authentication Method in lieu with Simple and Kerberos. It is a big and long
> term effort to support TokenAuth across the entire ecosystem. We here propose
> a short term replacement based on Kerberos that can complement to TokenAuth.
> Our solution involves less codes changes with limited risk and the main
> development work has already been done in our POC. Users can use our solution
> as a short term solution to support token inside Hadoop.
> This effort and resultant solution will be fully described in the design
> document to be attached. And the brief introduction will be commented.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
