[
https://issues.apache.org/jira/browse/HADOOP-9392?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14258005#comment-14258005
]
Kai Zheng commented on HADOOP-9392:
-----------------------------------
Some update.
We're running this for the long term, besides this:
We have another complement solution to TokenAuth based on Kerberos
pre-authentication framework and token-preauth extension or mechanism, which
was proposed in HADOOP-10959.
Meanwhile, we have also initiated Haox project, targeting a Java Kerberos
implementation and based on it, we're going to prototype the Kerberos
extensions in not so long future, aiming to provide necessary Java client
libraries to support this.
https://github.com/drankye/haox
> Token based authentication and Single Sign On
> ---------------------------------------------
>
> Key: HADOOP-9392
> URL: https://issues.apache.org/jira/browse/HADOOP-9392
> Project: Hadoop Common
> Issue Type: New Feature
> Components: security
> Reporter: Kai Zheng
> Assignee: Yi Liu
> Attachments: TokenAuth-breakdown.pdf,
> token-based-authn-plus-sso-v2.0.pdf, token-based-authn-plus-sso.pdf
>
>
> This is an umbrella entry for one of project Rhino’s topic, for details of
> project Rhino, please refer to
> https://github.com/intel-hadoop/project-rhino/. The major goal for this entry
> as described in project Rhino was
>
> “Core, HDFS, ZooKeeper, and HBase currently support Kerberos authentication
> at the RPC layer, via SASL. However this does not provide valuable attributes
> such as group membership, classification level, organizational identity, or
> support for user defined attributes. Hadoop components must interrogate
> external resources for discovering these attributes and at scale this is
> problematic. There is also no consistent delegation model. HDFS has a simple
> delegation capability, and only Oozie can take limited advantage of it. We
> will implement a common token based authentication framework to decouple
> internal user and service authentication from external mechanisms used to
> support it (like Kerberos)”
>
> We’d like to start our work from Hadoop-Common and try to provide common
> facilities by extending existing authentication framework which support:
> 1. Pluggable token provider interface
> 2. Pluggable token verification protocol and interface
> 3. Security mechanism to distribute secrets in cluster nodes
> 4. Delegation model of user authentication
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
