[
https://issues.apache.org/jira/browse/HADOOP-11717?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14483251#comment-14483251
]
Larry McCay commented on HADOOP-11717:
--------------------------------------
[~drankye] - Encryption is great where it is required. It isn't required here
as the cookie should be set to HTTPOnly which will not allow access by JS
inside of pages and Secure which will require it to be sent over secure
channels - it is otherwise managed by the browser.
The reason that it extends AltKerberosAuthenticationHandler is to accommodate
non-browser clients - of which there are a few. Requiring all clients to the
same endpoints to be able to handle a redirect and challenge - typically with a
form - will not work. Also, changing all these clients to acquire a token that
is more appropriate for their usage pattern is outside the scope of this patch.
This usage pattern will be introduced for such clients in a later effort.
As I answered previously, there is no need to pull the JWT code into a generic
token handling utility at this point and there is no value in doing so
prematurely. Slowing progress here in order to do this now - to meet the needs
of no other consumers would be artificial and unnecessary.
This handler already works for HDFS and YARN UIs - I have tested them.
I see little value in the configuration element changes that you propose:
Adding token to authentication.provider.url - doesn't make it more general.
Changing public.key.pem to token.signature.publickey - loses the self
descriptive nature of it being a pem representation.
Replacing JWT with token does make it more general but this handler really is
about JWT support.
I will consider changing these names a bit more but don't see any reason that
they can't go in the way they are.
We will certainly want to have them nailed down before backporting the patch to
another branch.
> Add Redirecting WebSSO behavior with JWT Token in Hadoop Auth
> -------------------------------------------------------------
>
> Key: HADOOP-11717
> URL: https://issues.apache.org/jira/browse/HADOOP-11717
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Larry McCay
> Assignee: Larry McCay
> Attachments: HADOOP-11717-1.patch, HADOOP-11717-2.patch,
> HADOOP-11717-3.patch, HADOOP-11717-4.patch, HADOOP-11717-5.patch,
> HADOOP-11717-6.patch, HADOOP-11717-7.patch, HADOOP-11717-8.patch,
> RedirectingWebSSOwithJWTforHadoopWebUIs.pdf
>
>
> Extend AltKerberosAuthenticationHandler to provide WebSSO flow for UIs.
> The actual authentication is done by some external service that the handler
> will redirect to when there is no hadoop.auth cookie and no JWT token found
> in the incoming request.
> Using JWT provides a number of benefits:
> * It is not tied to any specific authentication mechanism - so buys us many
> SSO integrations
> * It is cryptographically verifiable for determining whether it can be trusted
> * Checking for expiration allows for a limited lifetime and window for
> compromised use
> This will introduce the use of nimbus-jose-jwt library for processing,
> validating and parsing JWT tokens.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
