[
https://issues.apache.org/jira/browse/HADOOP-9392?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13699271#comment-13699271
]
Kai Zheng commented on HADOOP-9392:
-----------------------------------
We just updated TokenAuth design and please help review the new revision. This
revision incorporates feedback and suggestions in related discussion from
community, particularly from Microsoft and others attending the Security design
lounge session at the Hadoop summit. Summary of the changes:
1.Revised the approach to now use two tokens, Identity Token plus Access Token,
particularly considering our authorization framework and compatibility with
HSSO;
2.Introduced Authorization Server (AS) from our authorization framework into
the flow that issues access tokens for clients with identity tokens to access
services;
3.Refined proxy access token and the proxy/impersonation flow;
4.Refined the browser web SSO flow regarding access to Hadoop web services;
5.Added Hadoop RPC access flow regarding CLI clients accessing Hadoop services
via RPC/SASL;
6.Added client authentication integration flow to illustrate how desktop logins
can be integrated into the authentication process to TAS to exchange identity
token;
7.Introduced fine grained access control flow from authorization framework, I
have put it in appendices section for the reference;
8.Added a detailed flow to illustrate Hadoop Simple authentication over
TokenAuth, in the appendices section;
9.Added secured task launcher in appendices considering possible solutions for
Windows platform;
10.Removed low level contents, and not so relevant parts into appendices
section from the main body.
Thanks for your comments and feedback.
> Token based authentication and Single Sign On
> ---------------------------------------------
>
> Key: HADOOP-9392
> URL: https://issues.apache.org/jira/browse/HADOOP-9392
> Project: Hadoop Common
> Issue Type: New Feature
> Components: security
> Reporter: Kai Zheng
> Assignee: Kai Zheng
> Fix For: 3.0.0
>
> Attachments: token-based-authn-plus-sso.pdf,
> token-based-authn-plus-sso-v2.0.pdf
>
>
> This is an umbrella entry for one of project Rhino’s topic, for details of
> project Rhino, please refer to
> https://github.com/intel-hadoop/project-rhino/. The major goal for this entry
> as described in project Rhino was
>
> “Core, HDFS, ZooKeeper, and HBase currently support Kerberos authentication
> at the RPC layer, via SASL. However this does not provide valuable attributes
> such as group membership, classification level, organizational identity, or
> support for user defined attributes. Hadoop components must interrogate
> external resources for discovering these attributes and at scale this is
> problematic. There is also no consistent delegation model. HDFS has a simple
> delegation capability, and only Oozie can take limited advantage of it. We
> will implement a common token based authentication framework to decouple
> internal user and service authentication from external mechanisms used to
> support it (like Kerberos)”
>
> We’d like to start our work from Hadoop-Common and try to provide common
> facilities by extending existing authentication framework which support:
> 1. Pluggable token provider interface
> 2. Pluggable token verification protocol and interface
> 3. Security mechanism to distribute secrets in cluster nodes
> 4. Delegation model of user authentication
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
