[jira] [Updated] (HADOOP-11766) Generic token authentication support for Hadoop

Mon, 20 Apr 2015 04:43:14 -0700 

     [ 
https://issues.apache.org/jira/browse/HADOOP-11766?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jiajia Li updated HADOOP-11766:
-------------------------------
    Attachment: HADOOP-11766-V1.patch

Uploaded a rough patch illustrating the overall ideas:
1. Defined a generic token interface named {{AuthToken}}, abstracting common 
token attributes;
2. Implemented {{JwtAuthToken}} and {{CloudFoundryOAuth2Token}}, with 
corresponding decoders and validators, for checking signature, expiration, 
audiences and scope. The token decoder and validators are pluggable and 
configurable;
3. Provided a new {{AuthTokenAuthenticationHandler}} for hadoop Web UI, REST 
and WebHDFS, that can support the JWT token and cloudfoundry OAuth2 token.

> Generic token authentication support for Hadoop
> -----------------------------------------------
>
>                 Key: HADOOP-11766
>                 URL: https://issues.apache.org/jira/browse/HADOOP-11766
>             Project: Hadoop Common
>          Issue Type: New Feature
>          Components: security
>            Reporter: Kai Zheng
>            Assignee: Kai Zheng
>         Attachments: HADOOP-11766-V1.patch
>
>
> As a major goal of Rhino project, we proposed *TokenAuth* effort in 
> HADOOP-9392, where it's to provide a common token authentication framework to 
> integrate multiple authentication mechanisms, by adding a new 
> {{AuthenticationMethod}} in lieu of {{KERBEROS}} and {{SIMPLE}}. To minimize 
> the required changes and risk, we thought of another approach to achieve the 
> general goals based on Kerberos as Kerberos itself supports a 
> pre-authentication framework in both spec and implementation, which was 
> discussed in HADOOP-10959 as *TokenPreauth*. In both approaches, we had 
> performed workable prototypes covering both command line console and Hadoop 
> web UI. 
> As HADOOP-9392 is rather lengthy and heavy, HADOOP-10959 is mostly focused on 
> the concrete implementation approach based on Kerberos, we open this for more 
> general and updated discussions about requirement, use cases, and concerns 
> for the generic token authentication support for Hadoop. We distinguish this 
> token from existing Hadoop tokens as the token in this discussion is majorly 
> for the initial and primary authentication. We will refine our existing codes 
> in HADOOP-9392 and HADOOP-10959, break them down into smaller patches based 
> on latest trunk. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to