[jira] Commented: (HADOOP-1701) Provide a simple authentication service and a user management service

Tue, 21 Aug 2007 16:56:52 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-1701?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12521640
 ] 

Tsz Wo (Nicholas), SZE commented on HADOOP-1701:
------------------------------------------------

1) I did not really use WritableFactory in the framework.  I will revert it.

2) getSubject(...) is useful for java.security API, for example, access 
control.  It just initializes the principals to the Subject.

3) getPrincipal(...) is really misleading: it means getIssuer(...)

4) I just need somewhere to put the public methods, like hadoopLogin(...) .  Of 
course, I can create a new class for that purpose.

5) I want to provide a general mechanism to get username.  We might only need a 
Collector interface and conf always specifies a subclass.

> Provide a simple authentication service and a user management service
> ---------------------------------------------------------------------
>
>                 Key: HADOOP-1701
>                 URL: https://issues.apache.org/jira/browse/HADOOP-1701
>             Project: Hadoop
>          Issue Type: New Feature
>            Reporter: Tsz Wo (Nicholas), SZE
>            Assignee: Tsz Wo (Nicholas), SZE
>         Attachments: 1701_20070821framework.patch
>
>
> In HADOOP-1298, we want to add user information and permission to the file 
> system.  It requires an authentication service and a user management service. 
>  We should provide a framework and a simple implementation in issue and 
> extend it later.  As discussed in HADOOP-1298, the framework should be 
> extensible and pluggable.
> - Extensible: possible to extend the framework to the other parts (e.g. 
> map-reduce) of Hadoop.
> - Pluggable: can easily switch security implementations.  Below is a diagram 
> borrowed from Java.
> !http://java.sun.com/javase/6/docs/technotes/guides/security/overview/images/3.jpg!
> - Implement a Hadoop authentication center (HAC).  In the first step, the 
> mechanism of HAC is very simple, it keeps track a list of usernames (we only 
> support users, will work on other principals later) in HAC and verify 
> username in user login (yeah, no password).  HAC can run inside NameNode or 
> run as a stand alone server.   We will probably use Kerberos to provide more 
> sophisticated authentication service.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to