[
https://issues.apache.org/jira/browse/HADOOP-11717?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14483372#comment-14483372
]
Larry McCay commented on HADOOP-11717:
--------------------------------------
There may very well be usecases where encryption is necessary. I didn't mean to
say that it is never needed.
This handler is not trying to do anymore than it does.
Keep in mind that as a pluggable handler that this mechanism is completely
replaceable with some other implementation that fits the needs of a given
cluster deployment better. There is no precedence being set here that can't be
replaced.
At the same time, furthering the work done in this patch with follow up
improvements is a great plan to move it forward. It is much easier than trying
to do everything at once.
As for the SSO behavior:
Yes, I have configured the signer secrets to be alike, the cookie domain to
work across UIs and the expiry of the JWT token to work in various ways across
the UIs with a single redirect for authentication.
The fact that webhdfs has a completely different authentication filter means
that REST requests work as normally expected - in this case it will require
SPNEGO.
{quote}
I thought you agreed to have general token stuff in some time in future even
not now, so why won't we use more general configuration name here right now?
{quote}
I have no problem with a general token API. The use of a handler specific
configuration element shouldn't impact this at all. It is up to the handler to
pass the appropriate parameters to the API.
Thank you for your insights and discussion here, [~drankye].
We will continue to evolve this work to meet as many usecases as appropriate
and have a truly useful feature set here.
Having it align with future work will also be great.
> Add Redirecting WebSSO behavior with JWT Token in Hadoop Auth
> -------------------------------------------------------------
>
> Key: HADOOP-11717
> URL: https://issues.apache.org/jira/browse/HADOOP-11717
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Larry McCay
> Assignee: Larry McCay
> Fix For: 2.8.0
>
> Attachments: HADOOP-11717-1.patch, HADOOP-11717-2.patch,
> HADOOP-11717-3.patch, HADOOP-11717-4.patch, HADOOP-11717-5.patch,
> HADOOP-11717-6.patch, HADOOP-11717-7.patch, HADOOP-11717-8.patch,
> RedirectingWebSSOwithJWTforHadoopWebUIs.pdf
>
>
> Extend AltKerberosAuthenticationHandler to provide WebSSO flow for UIs.
> The actual authentication is done by some external service that the handler
> will redirect to when there is no hadoop.auth cookie and no JWT token found
> in the incoming request.
> Using JWT provides a number of benefits:
> * It is not tied to any specific authentication mechanism - so buys us many
> SSO integrations
> * It is cryptographically verifiable for determining whether it can be trusted
> * Checking for expiration allows for a limited lifetime and window for
> compromised use
> This will introduce the use of nimbus-jose-jwt library for processing,
> validating and parsing JWT tokens.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
