[
https://issues.apache.org/jira/browse/HADOOP-9392?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13734976#comment-13734976
]
Sanjay Radia commented on HADOOP-9392:
--------------------------------------
Looks like we are mostly in agreement. However I do not agree with the
following:
bq. The 'A' of HAS could be explained as "Authentication", "Authorization", or
"Auditing" or more of them, depending on HAS is provisioned with which role(s).
In this way it's much flexible and better to evolve in future.
I understand the notion of the a central authentication server and that is what
you have explained in the design. I believe that most if not all of the
authorization belongs closer to the resources servers being access. So for now
lets just call this the hadoop-authentication-service. Later if and when we
have design for centralized authorization we can expand the scope of the
service.
I would like to change this jira's title to "Hadoop Authentication Service".
Also drop the SSO from the title since that is not unique to the HAS - today's
Kerberos/Authentication service supports SSO just as the HAS will.
> Token based authentication and Single Sign On
> ---------------------------------------------
>
> Key: HADOOP-9392
> URL: https://issues.apache.org/jira/browse/HADOOP-9392
> Project: Hadoop Common
> Issue Type: New Feature
> Components: security
> Reporter: Kai Zheng
> Assignee: Kai Zheng
> Fix For: 3.0.0
>
> Attachments: TokenAuth-breakdown.pdf, token-based-authn-plus-sso.pdf,
> token-based-authn-plus-sso-v2.0.pdf
>
>
> This is an umbrella entry for one of project Rhino’s topic, for details of
> project Rhino, please refer to
> https://github.com/intel-hadoop/project-rhino/. The major goal for this entry
> as described in project Rhino was
>
> “Core, HDFS, ZooKeeper, and HBase currently support Kerberos authentication
> at the RPC layer, via SASL. However this does not provide valuable attributes
> such as group membership, classification level, organizational identity, or
> support for user defined attributes. Hadoop components must interrogate
> external resources for discovering these attributes and at scale this is
> problematic. There is also no consistent delegation model. HDFS has a simple
> delegation capability, and only Oozie can take limited advantage of it. We
> will implement a common token based authentication framework to decouple
> internal user and service authentication from external mechanisms used to
> support it (like Kerberos)”
>
> We’d like to start our work from Hadoop-Common and try to provide common
> facilities by extending existing authentication framework which support:
> 1. Pluggable token provider interface
> 2. Pluggable token verification protocol and interface
> 3. Security mechanism to distribute secrets in cluster nodes
> 4. Delegation model of user authentication
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
