[
https://issues.apache.org/jira/browse/HADOOP-12082?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15596581#comment-15596581
]
Hrishikesh Gadre commented on HADOOP-12082:
-------------------------------------------
[~yuanbo]
bq. When you said LDAP based authentication, did you mean authentication filter
which supports delegation?
The jira addresses the requirement where more than one authentication mode need
to be configured e.g. consider a case where some of the users can not be
authenticated using kerberos since they reside outside the kerberos domain. So
with this mechanism, you can configure two authentication schemes (a) SPNEGO
scheme using kerberos auth and (b) BASIC scheme using LDAP auth. Hence the
users which are outside kerberos domain can provide username/password to
authenticate against LDAP (or Active Directory) server.
Also the underlying framework is extensible so you can implement different
mechanisms as well e.g. instead of LDAP auth - you can use a database backend
for storing the credentials. For this - you will need to provide a different
authentication handler implementation using LdapAuthenticationHandler.java as a
reference.
BTW HADOOP-9054 also targeted the same use-case, although that implementation
was not confirming the HTTP protocol semantics. More explanation is available
in the jira description.
bq. I was anticipating there were some descriptions about configuration work of
core-site/hdfs-site, but there weren't.
The authentication handler is configured as part of configuring Hadoop
AuthenticationFilter. This is typically done via web.xml (or other web
container/application specific means). e.g. following link provide steps to
configure authentication handler for Oozie
https://oozie.apache.org/docs/4.2.0/ENG_Custom_Authentication.html#Provide_Custom_Authentication_to_Oozie_Server
> Support multiple authentication schemes via AuthenticationFilter
> ----------------------------------------------------------------
>
> Key: HADOOP-12082
> URL: https://issues.apache.org/jira/browse/HADOOP-12082
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Affects Versions: 2.6.0
> Reporter: Hrishikesh Gadre
> Assignee: Hrishikesh Gadre
> Attachments: HADOOP-12082-001.patch, HADOOP-12082-002.patch,
> HADOOP-12082-003.patch, HADOOP-12082-004.patch, HADOOP-12082-005.patch,
> HADOOP-12082-006.patch, HADOOP-12082-branch-2-001.patch,
> HADOOP-12082-branch-2-002.patch, HADOOP-12082-branch-2.8-001.patch,
> HADOOP-12082-branch-2.8.patch, HADOOP-12082-branch-2.patch,
> HADOOP-12082.patch, hadoop-ldap-auth-v2.patch, hadoop-ldap-auth-v3.patch,
> hadoop-ldap-auth-v4.patch, hadoop-ldap-auth-v5.patch,
> hadoop-ldap-auth-v6.patch, hadoop-ldap.patch,
> multi-scheme-auth-support-poc.patch
>
>
> The requirement is to support LDAP based authentication scheme via Hadoop
> AuthenticationFilter. HADOOP-9054 added a support to plug-in custom
> authentication scheme (in addition to Kerberos) via
> AltKerberosAuthenticationHandler class. But it is based on selecting the
> authentication mechanism based on User-Agent HTTP header which does not
> conform to HTTP protocol semantics.
> As per [RFC-2616|http://www.w3.org/Protocols/rfc2616/rfc2616.html]
> - HTTP protocol provides a simple challenge-response authentication mechanism
> that can be used by a server to challenge a client request and by a client to
> provide the necessary authentication information.
> - This mechanism is initiated by server sending the 401 (Authenticate)
> response with ‘WWW-Authenticate’ header which includes at least one challenge
> that indicates the authentication scheme(s) and parameters applicable to the
> Request-URI.
> - In case server supports multiple authentication schemes, it may return
> multiple challenges with a 401 (Authenticate) response, and each challenge
> may use a different auth-scheme.
> - A user agent MUST choose to use the strongest auth-scheme it understands
> and request credentials from the user based upon that challenge.
> The existing Hadoop authentication filter implementation supports Kerberos
> authentication scheme and uses ‘Negotiate’ as the challenge as part of
> ‘WWW-Authenticate’ response header. As per the following documentation,
> ‘Negotiate’ challenge scheme is only applicable to Kerberos (and Windows
> NTLM) authentication schemes.
> [SPNEGO-based Kerberos and NTLM HTTP
> Authentication|http://tools.ietf.org/html/rfc4559]
> [Understanding HTTP
> Authentication|https://msdn.microsoft.com/en-us/library/ms789031%28v=vs.110%29.aspx]
> On the other hand for LDAP authentication, typically ‘Basic’ authentication
> scheme is used (Note TLS is mandatory with Basic authentication scheme).
> http://httpd.apache.org/docs/trunk/mod/mod_authnz_ldap.html
> Hence for this feature, the idea would be to provide a custom implementation
> of Hadoop AuthenticationHandler and Authenticator interfaces which would
> support both schemes - Kerberos (via Negotiate auth challenge) and LDAP (via
> Basic auth challenge). During the authentication phase, it would send both
> the challenges and let client pick the appropriate one. If client responds
> with an ‘Authorization’ header tagged with ‘Negotiate’ - it will use Kerberos
> authentication. If client responds with an ‘Authorization’ header tagged with
> ‘Basic’ - it will use LDAP authentication.
> Note - some HTTP clients (e.g. curl or Apache Http Java client) need to be
> configured to use one scheme over the other e.g.
> - curl tool supports option to use either Kerberos (via --negotiate flag) or
> username/password based authentication (via --basic and -u flags).
> - Apache HttpClient library can be configured to use specific authentication
> scheme.
> http://hc.apache.org/httpcomponents-client-ga/tutorial/html/authentication.html
> Typically web browsers automatically choose an authentication scheme based on
> a notion of “strength” of security. e.g. take a look at the [design of Chrome
> browser for HTTP
> authentication|https://www.chromium.org/developers/design-documents/http-authentication]
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
