[ https://issues.apache.org/jira/browse/HADOOP-10959?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14095056#comment-14095056 ]
Kai Zheng commented on HADOOP-10959: ------------------------------------ bq. we need to discuss is exactly who has the problem that this solution solves. I quite agree. This desires to enhance Hadoop Kerberos authentication by token-preauth mechanism for Kerberos itself and allow to integrate other authentication providers for clusters that require Kerberos as a must essentially or have already deployed Kerberos previously. Do such scenarios make sense? I'd love to discuss and clarify this further with more feedback. bq. I think that it is very interesting that this may end up making its way into MIT kerberos itself. We're collaborating with MIT team on drafting the token-preauth mechanism and then implementing it based on the prototype. Hopefully we can make it in not so long future but before that we can public the plugin implementation codes for review and binary for experimental usage. bq. Not sure how likely it would make it into AD though - so this will end up being a feature that requires MIT kerberos even in MS shops. A cluster can have a MIT Kerberos deployment with this token support serving as an authentication hub with internal usage, then AD can be supported by Kerberos cross-realm trusting setup and also other authentication providers can be supported by a token authentication service that supports JWT token. *Owning to this, OAuth 2.0 token work flow would be possible for the ecosystem.* bq. we look at the pains of the current authentication with kerberos approach which ones are actually solved by this solution No. This effort doesn't attempt to resolve all the pains of Kerberos, as TokenAuth (HADOOP-9392) desires to. This focuses on providing the token support assuming Kerberos deployment. That means, if you accept Kerberos and like its both strengths and drawbacks for your cluster, then this solution provides you more integration options by employing the token support for your end users' sake. Right we do wish and also are making effort to simplify the Kerberos deployment for Hadoop, which we would think it makes sense for the long term. It's another story though. bq. keytabs - not really - replaced by JWT tokens (assuming that this is intended for services as well as users) It's not a problem to use token to authenticate service, but it doesn't help for the service to authenticate clients because that requires Kerberos keys which must be provided by keytabs. However, the pain to deploy keytabs for services can be alleviated by token support, still, another story. bq. SPNEGO - NO - still required for REST APIs and browsers It's not true for browsers. Browsers can be input with token by flow (like OAuth web work flow) or user form, and submit the token to server side. In server side it does SPNEGO for compatibility with non-token accesses. bq. Can multiple kerberos plugins be used at once - which would allow for a mixed deployment of kerberos and JWT? Right. Kerberos support multiple preauthentication mechanisms and MIT KDC supports multiple plugins. You reminded me that I can provide a typical deployment with this token support. Will update the design doc later. Thanks. > A Complement and Short Term Solution to TokenAuth Based on Kerberos > Pre-Authentication Framework > ------------------------------------------------------------------------------------------------ > > Key: HADOOP-10959 > URL: https://issues.apache.org/jira/browse/HADOOP-10959 > Project: Hadoop Common > Issue Type: New Feature > Components: security > Reporter: Kai Zheng > Assignee: Kai Zheng > Labels: Rhino > Attachments: KerbToken-v2.pdf > > > To implement and integrate pluggable authentication providers, enhance > desirable single sign on for end users, and help enforce centralized access > control on the platform, the community has widely discussed and concluded > token based authentication could be the appropriate approach. TokenAuth > (HADOOP-9392) was proposed and is under development to implement another > Authentication Method in lieu with Simple and Kerberos. It is a big and long > term effort to support TokenAuth across the entire ecosystem. We here propose > a short term replacement based on Kerberos that can complement to TokenAuth. > Our solution involves less codes changes with limited risk and the main > development work has already been done in our POC. Users can use our solution > as a short term solution to support token inside Hadoop. > This effort and resultant solution will be fully described in the design > document to be attached. And the brief introduction will be commented. -- This message was sent by Atlassian JIRA (v6.2#6252)