[ https://issues.apache.org/jira/browse/HADOOP-11717?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14362086#comment-14362086 ]
Kai Zheng commented on HADOOP-11717: ------------------------------------ Hi [~lmccay], I'm glad to see this, thanks for taking this ! As mentioned in HADOOP-10959, I had a prototype implementing a Kerberos based token (JWT token) authentication approach, covering both terminal command use case and web UI case. I attempted to break down the work but looks like it doesn't go smoothly, as you can see in HADOOP-10670 and HADOOP-10671. I built the similar web SSO flow for Hadoop web UI starting with a JWT token. So with that experience, I will look at your patch and see if anything I can help with. One thing to clarify is, in the Hadoop auth handler you enhanced, if a JWT token is there in the session after redirected back, you will validate the token in the handler itself, right ? No delegate to another service to authenticate the token, right ? If so, I'm wondering if you could leave the chance in your codes, so that other effort like HADOOP-10959 can pluggin or customize the token validation mechanism or behavior. Thanks. By the way a minor, nimbus-jose-jwt library is a good choice, as also made in Apache Kerby, where the TokenPreauth is being implemented for the Kerberos library and KDC. I thought we're much aligned in this part. > Add Redirecting WebSSO behavior with JWT Token in Hadoop Auth > ------------------------------------------------------------- > > Key: HADOOP-11717 > URL: https://issues.apache.org/jira/browse/HADOOP-11717 > Project: Hadoop Common > Issue Type: Improvement > Components: security > Reporter: Larry McCay > Assignee: Larry McCay > Attachments: HADOOP-11717-1.patch, HADOOP-11717-2.patch > > > Extend AltKerberosAuthenticationHandler to provide WebSSO flow for UIs. > The actual authentication is done by some external service that the handler > will redirect to when there is no hadoop.auth cookie and no JWT token found > in the incoming request. > Using JWT provides a number of benefits: > * It is not tied to any specific authentication mechanism - so buys us many > SSO integrations > * It is cryptographically verifiable for determining whether it can be trusted > * Checking for expiration allows for a limited lifetime and window for > compromised use > This will introduce the use of nimbus-jose-jwt library for processing, > validating and parsing JWT tokens. -- This message was sent by Atlassian JIRA (v6.3.4#6332)