Hi all, Kerberos was developed decade before web development becomes popular. There are some Kerberos limitations which does not work well in Hadoop. A few examples of corner cases:
1. Kerberos principal doesn't encode port number, it is difficult to know if the principal is coming from an authorized daemon or a hacker container trying to forge service principal. 2. Hadoop Kerberos principals are used as high privileged principal, a form of credential to impersonate end user. 3. Delegation token may allow expired users to continue to run jobs long after they are gone, without rechecking if end user credentials is still valid. 4. Passing different form of tokens does not work well with cloud provider security mechanism. For example, passing AWS sts token for S3 bucket. There is no renewal mechanism, nor good way to identify when the token would expire. There are companies that work on bridging security mechanism of different types, but this is not primary goal for Hadoop. Hadoop can benefit from modernized security using open standards like OpenID Connect, which proposes to unify web applications using SSO. This ensure the client credentials are transported in each stage of client servers interaction. This may improve overall security, and provide more cloud native form factor. I wonder if there is any interested in the community to enable Hadoop OpenID Connect integration work? regards, Eric
