[
https://issues.apache.org/jira/browse/HADOOP-9533?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13675130#comment-13675130
]
Kevin Minder commented on HADOOP-9533:
--------------------------------------
I'm happy to announce that we have secured a time slot and dedicated space
during Hadoop Summit NA dedicated to forward looking Hadoop security design
collaboration. Currently, a room has been allocated on the 26th from 1:45 to
3:30 PT. Specific location will be available at the Summit and any changes in
date or time will be announced publicly to the best of our abilities. In order
to create a manageable agenda for this session, I'd like to schedule some prep
meetings via meetup.com to start discussions and preparations with those that
would be interested in co-organizing the session.
> Centralized Hadoop SSO/Token Server
> -----------------------------------
>
> Key: HADOOP-9533
> URL: https://issues.apache.org/jira/browse/HADOOP-9533
> Project: Hadoop Common
> Issue Type: New Feature
> Components: security
> Reporter: Larry McCay
> Attachments: HSSO-Interaction-Overview-rev-1.docx,
> HSSO-Interaction-Overview-rev-1.pdf
>
>
> This is an umbrella Jira filing to oversee a set of proposals for introducing
> a new master service for Hadoop Single Sign On (HSSO).
> There is an increasing need for pluggable authentication providers that
> authenticate both users and services as well as validate tokens in order to
> federate identities authenticated by trusted IDPs. These IDPs may be deployed
> within the enterprise or third-party IDPs that are external to the enterprise.
> These needs speak to a specific pain point: which is a narrow integration
> path into the enterprise identity infrastructure. Kerberos is a fine solution
> for those that already have it in place or are willing to adopt its use but
> there remains a class of user that finds this unacceptable and needs to
> integrate with a wider variety of identity management solutions.
> Another specific pain point is that of rolling and distributing keys. A
> related and integral part of the HSSO server is library called the Credential
> Management Framework (CMF), which will be a common library for easing the
> management of secrets, keys and credentials.
> Initially, the existing delegation, block access and job tokens will continue
> to be utilized. There may be some changes required to leverage a PKI based
> signature facility rather than shared secrets. This is a means to simplify
> the solution for the pain point of distributing shared secrets.
> This project will primarily centralize the responsibility of authentication
> and federation into a single service that is trusted across the Hadoop
> cluster and optionally across multiple clusters. This greatly simplifies a
> number of things in the Hadoop ecosystem:
> 1. a single token format that is used across all of Hadoop regardless of
> authentication method
> 2. a single service to have pluggable providers instead of all services
> 3. a single token authority that would be trusted across the cluster/s and
> through PKI encryption be able to easily issue cryptographically verifiable
> tokens
> 4. automatic rolling of the token authority’s keys and publishing of the
> public key for easy access by those parties that need to verify incoming
> tokens
> 5. use of PKI for signatures eliminates the need for securely sharing and
> distributing shared secrets
> In addition to serving as the internal Hadoop SSO service this service will
> be leveraged by the Knox Gateway from the cluster perimeter in order to
> acquire the Hadoop cluster tokens. The same token mechanism that is used for
> internal services will be used to represent user identities. Providing for
> interesting scenarios such as SSO across Hadoop clusters within an enterprise
> and/or into the cloud.
> The HSSO service will be comprised of three major components and capabilities:
> 1. Federating IDP – authenticates users/services and issues the common
> Hadoop token
> 2. Federating SP – validates the token of trusted external IDPs and issues
> the common Hadoop token
> 3. Token Authority – management of the common Hadoop tokens – including:
> a. Issuance
> b. Renewal
> c. Revocation
> As this is a meta Jira for tracking this overall effort, the details of the
> individual efforts will be submitted along with the child Jira filings.
> Hadoop-Common would seem to be the most appropriate home for such a service
> and its related common facilities. We will also leverage and extend existing
> common mechanisms as appropriate.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
