[
https://issues.apache.org/jira/browse/HADOOP-9392?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13705174#comment-13705174
]
Tianyou Li commented on HADOOP-9392:
------------------------------------
Hi James,
Thanks for reviewing. For Web SSO flow, usually the IdP will issue a token
which is signed to ensure data integrity. So the token issued by IdP as a
result of IdP authentication cannot be modified because the signing key is a
secret of IdP, other parties cannot get the signing key so the token cannot be
modified.
Moreover, once client is redirect to IdP for authentication, the client usually
need to verify and accept server certificate as a step of trust for the IdP via
SSL(https), in this way to ensure credentials client is providing are routed to
trusted IdP via secured channel. TAS also need to verify the signature of the
token issued by that IdP, this step will prove that token is exactly issued by
the designate IdP and can be authenticated successfully with TAS.
As mentioned above, TLS/SSL should be enabled to protect credentials
transmission during authentication process with IdP, and mitigate with MITM
attack. To further improve the client authN security, multi-factor such as
additional OTP authentication can also be employed, this is one of our design
goal but might not be explicitly mentioned.
Regards.
> Token based authentication and Single Sign On
> ---------------------------------------------
>
> Key: HADOOP-9392
> URL: https://issues.apache.org/jira/browse/HADOOP-9392
> Project: Hadoop Common
> Issue Type: New Feature
> Components: security
> Reporter: Kai Zheng
> Assignee: Kai Zheng
> Fix For: 3.0.0
>
> Attachments: token-based-authn-plus-sso.pdf,
> token-based-authn-plus-sso-v2.0.pdf
>
>
> This is an umbrella entry for one of project Rhino’s topic, for details of
> project Rhino, please refer to
> https://github.com/intel-hadoop/project-rhino/. The major goal for this entry
> as described in project Rhino was
>
> “Core, HDFS, ZooKeeper, and HBase currently support Kerberos authentication
> at the RPC layer, via SASL. However this does not provide valuable attributes
> such as group membership, classification level, organizational identity, or
> support for user defined attributes. Hadoop components must interrogate
> external resources for discovering these attributes and at scale this is
> problematic. There is also no consistent delegation model. HDFS has a simple
> delegation capability, and only Oozie can take limited advantage of it. We
> will implement a common token based authentication framework to decouple
> internal user and service authentication from external mechanisms used to
> support it (like Kerberos)”
>
> We’d like to start our work from Hadoop-Common and try to provide common
> facilities by extending existing authentication framework which support:
> 1. Pluggable token provider interface
> 2. Pluggable token verification protocol and interface
> 3. Security mechanism to distribute secrets in cluster nodes
> 4. Delegation model of user authentication
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
