[jira] Commented: (HADOOP-1701) Provide a simple authentication service and a user management service

Wed, 15 Aug 2007 10:37:53 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-1701?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12520043
 ] 

dhruba borthakur commented on HADOOP-1701:
------------------------------------------

I browsed the API description. Looks good. Minor comments:

1. I wonder if the default user-name should be hard-coded into the code rather 
that it being a configuration variable. Currently, you have login.username to 
define the default anonymous username.

2. Maybe the special uids be negative values (instead of reserving < 1000000) 
This will allow us to make the hadoop-uids match with the user's unix uids. 
Unix-uids typically are positive integers. It might also facilitate easy 
integration with most LDAP installations.
 

> Provide a simple authentication service and a user management service
> ---------------------------------------------------------------------
>
>                 Key: HADOOP-1701
>                 URL: https://issues.apache.org/jira/browse/HADOOP-1701
>             Project: Hadoop
>          Issue Type: New Feature
>            Reporter: Tsz Wo (Nicholas), SZE
>            Assignee: Tsz Wo (Nicholas), SZE
>         Attachments: 1701_20070813c.patch, users.txt
>
>
> In HADOOP-1298, we want to add user information and permission to the file 
> system.  It requires an authentication service and a user management service. 
>  We should provide a framework and a simple implementation in issue and 
> extend it later.  As discussed in HADOOP-1298, the framework should be 
> extensible and pluggable.
> - Extensible: possible to extend the framework to the other parts (e.g. 
> map-reduce) of Hadoop.
> - Pluggable: can easily switch security implementations.  Below is a diagram 
> borrowed from Java.
> !http://java.sun.com/javase/6/docs/technotes/guides/security/overview/images/3.jpg!
> - Implement a Hadoop authentication center (HAC).  In the first step, the 
> mechanism of HAC is very simple, it keeps track a list of usernames (we only 
> support users, will work on other principals later) in HAC and verify 
> username in user login (yeah, no password).  HAC can run inside NameNode or 
> run as a stand alone server.   We will probably use Kerberos to provide more 
> sophisticated authentication service.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to