[
https://issues.apache.org/jira/browse/HADOOP-11717?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14362086#comment-14362086
]
Kai Zheng commented on HADOOP-11717:
------------------------------------
Hi [~lmccay],
I'm glad to see this, thanks for taking this ! As mentioned in HADOOP-10959, I
had a prototype implementing a Kerberos based token (JWT token) authentication
approach, covering both terminal command use case and web UI case. I attempted
to break down the work but looks like it doesn't go smoothly, as you can see in
HADOOP-10670 and HADOOP-10671. I built the similar web SSO flow for Hadoop web
UI starting with a JWT token. So with that experience, I will look at your
patch and see if anything I can help with.
One thing to clarify is, in the Hadoop auth handler you enhanced, if a JWT
token is there in the session after redirected back, you will validate the
token in the handler itself, right ? No delegate to another service to
authenticate the token, right ? If so, I'm wondering if you could leave the
chance in your codes, so that other effort like HADOOP-10959 can pluggin or
customize the token validation mechanism or behavior. Thanks.
By the way a minor, nimbus-jose-jwt library is a good choice, as also made in
Apache Kerby, where the TokenPreauth is being implemented for the Kerberos
library and KDC. I thought we're much aligned in this part.
> Add Redirecting WebSSO behavior with JWT Token in Hadoop Auth
> -------------------------------------------------------------
>
> Key: HADOOP-11717
> URL: https://issues.apache.org/jira/browse/HADOOP-11717
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Larry McCay
> Assignee: Larry McCay
> Attachments: HADOOP-11717-1.patch, HADOOP-11717-2.patch
>
>
> Extend AltKerberosAuthenticationHandler to provide WebSSO flow for UIs.
> The actual authentication is done by some external service that the handler
> will redirect to when there is no hadoop.auth cookie and no JWT token found
> in the incoming request.
> Using JWT provides a number of benefits:
> * It is not tied to any specific authentication mechanism - so buys us many
> SSO integrations
> * It is cryptographically verifiable for determining whether it can be trusted
> * Checking for expiration allows for a limited lifetime and window for
> compromised use
> This will introduce the use of nimbus-jose-jwt library for processing,
> validating and parsing JWT tokens.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
