[jira] Commented: (HADOOP-1701) Provide a simple authentication service and a user management service

Wed, 22 Aug 2007 13:38:55 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-1701?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12521924
 ] 

Doug Cutting commented on HADOOP-1701:
--------------------------------------

I agree with Owen that we should just have a Collector interface and a default 
implementation that reads from the config and/or OS.  Also, isn't it more 
secure to use UnixSystem#getUserName() than the system property, since normal 
users cannot modify the former?

My preference would be to have the default only use the OS.  That would make it 
slightly harder for folks to pretend to be someone else without changing, e.g., 
JobClient or DFSClient, no?  If it's just a config property then anyone can 
specify root on the command line.  We should make the default a bit harder than 
that to beat, no?

> Provide a simple authentication service and a user management service
> ---------------------------------------------------------------------
>
>                 Key: HADOOP-1701
>                 URL: https://issues.apache.org/jira/browse/HADOOP-1701
>             Project: Hadoop
>          Issue Type: New Feature
>            Reporter: Tsz Wo (Nicholas), SZE
>            Assignee: Tsz Wo (Nicholas), SZE
>         Attachments: 1701_20070821framework.patch, guides20070822.pdf
>
>
> In HADOOP-1298, we want to add user information and permission to the file 
> system.  It requires an authentication service and a user management service. 
>  We should provide a framework and a simple implementation in issue and 
> extend it later.  As discussed in HADOOP-1298, the framework should be 
> extensible and pluggable.
> - Extensible: possible to extend the framework to the other parts (e.g. 
> map-reduce) of Hadoop.
> - Pluggable: can easily switch security implementations.  Below is a diagram 
> borrowed from Java.
> !http://java.sun.com/javase/6/docs/technotes/guides/security/overview/images/3.jpg!
> - Implement a Hadoop authentication center (HAC).  In the first step, the 
> mechanism of HAC is very simple, it keeps track a list of usernames (we only 
> support users, will work on other principals later) in HAC and verify 
> username in user login (yeah, no password).  HAC can run inside NameNode or 
> run as a stand alone server.   We will probably use Kerberos to provide more 
> sophisticated authentication service.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to