Hi Eric, thank you for starting the discussion. I'm interested in OpenID Connect (OIDC) integration.
In addition to the benefits (security, cloud native), operating costs may be reduced in some companies. We have our company-wide OIDC provider and enable SSO for Hadoop Web UIs via Knox + OIDC in Yahoo! JAPAN. On the other hand, Hadoop administrators have to manage our own KDC servers only for Hadoop ecosystems. If Hadoop and its ecosystem can support OIDC, we don't have to manage KDC and that way operating costs will be reduced. Regards, Akira On Thu, May 7, 2020 at 7:32 AM Eric Yang <eric...@gmail.com> wrote: > Hi all, > > Kerberos was developed decade before web development becomes popular. > There are some Kerberos limitations which does not work well in Hadoop. A > few examples of corner cases: > > 1. Kerberos principal doesn't encode port number, it is difficult to know > if the principal is coming from an authorized daemon or a hacker container > trying to forge service principal. > 2. Hadoop Kerberos principals are used as high privileged principal, a form > of credential to impersonate end user. > 3. Delegation token may allow expired users to continue to run jobs long > after they are gone, without rechecking if end user credentials is still > valid. > 4. Passing different form of tokens does not work well with cloud provider > security mechanism. For example, passing AWS sts token for S3 bucket. > There is no renewal mechanism, nor good way to identify when the token > would expire. > > There are companies that work on bridging security mechanism of different > types, but this is not primary goal for Hadoop. Hadoop can benefit from > modernized security using open standards like OpenID Connect, which > proposes to unify web applications using SSO. This ensure the client > credentials are transported in each stage of client servers interaction. > This may improve overall security, and provide more cloud native form > factor. I wonder if there is any interested in the community to enable > Hadoop OpenID Connect integration work? > > regards, > Eric >
