Thanks Stefan. > Was the HAS developed as open source project in public?
No, HAS is a private repo under https://github.com/Intel-bigdata. > In readme I see some links to github.com/intel-bigdata/has but that only > gives 404. Sorry for my mistake, I've fixed the links. Dependencies: > * MySQL JDBC driver is GPLv2 which is not compatible with Apache. (alternative: Drizzle JDBC) > * Some dependencies (Jersey, Glassfish) are CDDL licensed which is not > compatible with Apache. (alternatives: CXF, Geronimo) > * For some dependencies I cannot find a license: > com.aliyun:aliyun-java-sdk-core and com.aliyun:aliyun-java-sdk-ram We will fix these dependencies soon. One question: I found Apache Hadoop also using the Jersey, could we using it through adding the license file? > Plugins, especially "RAM": > * What does "RAM" mean? > * The RAM plugin is not included but tests and default config seem to require > it. Classes org.apache.hadoop.has.plugins.client.aliyun.AliyunHasClientPlugin > and org.apache.hadoop.has.plugins.server.aliyun.AliyunHasServerPlugin are not > available. Will those also be contributed? > * There is no other (default) implementation of HasClientPlugin. Is the > project still already usable? Or is it only a framework and more development > effort is requried to implement the plugins? "RAM" is an example plugin type, It's the name of existing user authentication system. I think it's universal enough, so I removed all the code associated with this plugin. This project is a framework, users should implement their own plugins(including client and server). But we will provide the default implementation of HasClientPlugin in the future work. Do you have any suggestions for default plugin? LDAP or others? > Hadoop or Kerby/Directory: > * The project name includes Hadoop, the Maven groupId is org.apache.hadoop, > Java package names are org.apache.hadoop.has. Was it planned to contribute > this to Hadoop? Or does it make more sense to contribute it to Hadoop > directly? No, we won't contribute it to Hadoop. We will change the Maven groupId to "org.apache.kerby". > * On the other hand it seems to be also useful otherwise, like to configure > Kerby KDC via REST and to be able to plugin other authentication providers, > am I right? Then it totally makes sense to include it into Kerby. But in that > case I'd suggest to change the names. Yes, you are right, HAS provides lots of REST APIs to config Kerby KDC, and the new authentication mechanism is able to plugin the existing user authentication system. I thinks it's ok to change the name of "HAS" if we merge it to replace kerby-kdc module to upgrade the Kerby KDC, and do you have a suggest name? On the other hand, "HAS" also provides the supports for Hadoop ecosystem, it's a complete framework for Hadoop Ecosystem, so I think "HAS" is a good choice if we want to create a standalone module for it. Please correct me if I am wrong. Thanks, Jiajia -----Original Message----- From: Stefan Seelmann [mailto:[email protected]] Sent: Sunday, November 26, 2017 12:22 AM To: Apache Directory Developers List <[email protected]>; [email protected] Subject: Re: [DISCUSS] Merge HAS to Apache Kerby I browsed the code and documentation, here some notes and questions: Was the HAS developed as open source project in public? In readme I see some links to github.com/intel-bigdata/has but that only gives 404. Are all the contributors already ASF committers or have an ICLA on file? Otherwise I'm afraid IP clearance is required. Dependencies: * MySQL JDBC driver is GPLv2 which is not compatible with Apache. (alternative: Drizzle JDBC) * Some dependencies (Jersey, Glassfish) are CDDL licensed which is not compatible with Apache. (alternatives: CXF, Geronimo) * For some dependencies I cannot find a license: com.aliyun:aliyun-java-sdk-core and com.aliyun:aliyun-java-sdk-ram Plugins, especially "RAM": * What does "RAM" mean? * The RAM plugin is not included but tests and default config seem to require it. Classes org.apache.hadoop.has.plugins.client.aliyun.AliyunHasClientPlugin and org.apache.hadoop.has.plugins.server.aliyun.AliyunHasServerPlugin are not available. Will those also be contributed? * There is no other (default) implementation of HasClientPlugin. Is the project still already usable? Or is it only a framework and more development effort is requried to implement the plugins? Hadoop or Kerby/Directory: * The project name includes Hadoop, the Maven groupId is org.apache.hadoop, Java package names are org.apache.hadoop.has. Was it planned to contribute this to Hadoop? Or does it make more sense to contribute it to Hadoop directly? * On the other hand it seems to be also useful otherwise, like to configure Kerby KDC via REST and to be able to plugin other authentication providers, am I right? Then it totally makes sense to include it into Kerby. But in that case I'd suggest to change the names. Kind Regards, Stefan On 11/24/2017 04:30 AM, Li, Jiajia wrote: > Hi all, > > I would like to post a proposal about merging a new project HAS (Hadoop > Authentication Service) to Apache Kerby. HAS is led by Intel and Alibaba, it > is a solution to support the authentication of open source big data ecosystem > in cloud computing platforms. I've created a new branch "has-project" in > Kerby, HAS is under "has" folder. Please look at > https://github.com/apache/directory-kerby/tree/has-project/has for details. > > Background and motivation: > At present, the open source big data ecosystems (Hadoop/Spark) only has the > built-in Kerberos support on the security authentication. HAS aims to build a > standalone authentication service for the big data ecosystem that simplifies > the support of Kerberos and allows to use more authentication methods. > > Targets users: > HAS supports various authentication mechanisms other than just Kerberos, and > it provides a new authentication mechanism can be easy customized and plugin > with existing user authentication and authorization system, and security > admins won't have to migrate and sync up their user accounts to Kerberos back > and forth. > > Architecture & Design: > HAS provides a new authentication mechanism ("Kerberos-based token > authentication"), depending on the "TokenPreauth" provided by Apache Kerby. > Please look at > https://github.com/apache/directory-kerby/blob/has-project/has/README.md for > details. > > Features: > 1. Provides new authentication mechanism plugin APIs to customize and > plugin with existing user authentication and authorization system. Please > look at > https://github.com/apache/directory-kerby/blob/has-project/has/README.md for > details. > 2. Provides lots of REST APIs and facility tools to simplify the support > of Kerberos. Kerberos is essentially a protocol, or secure channel, doesn't > have to be that complex to users. Please look at > https://github.com/apache/directory-kerby/blob/has-project/has/doc/rest-api.md > for details. > 3. Provides MySQL backend for High Availability. Please look at > https://github.com/apache/directory-kerby/blob/has-project/has/doc/mysql-backend.md > for details. > 4. New authentication mechanism now supports most of the components of > open source big data ecosystem with little or no changes to components, > including HDFS, HBase, Zookeeper, Hive, Spark.... Please look at > https://github.com/apache/directory-kerby/tree/has-project/has/supports for > details. > > Practice > This solution has been deployed in Alibaba Cloud E-MapReduce production. > > Why to merge? > HAS provides a complete Hadoop/Spark authentication framework and solution > based on Kerberos, HAS can help to upgrade Kerby KDC, make it more solid and > stronger. And if HAS can be merged to Apache Kerby, community will help HAS > grow faster and users can more easily using this solution in their own > production. We have two suggestions about how to merge: > - Option1: > Create a standalone module "kerby-has", putting HAS project under this module. > - Option2: > Suggest replacing kerby-kdc module with HAS, upgrade the Kerby KDC. > > Contributors: > Jiajia, Li (Intel) > Lin, Zeng (Intel) > Zhiqiang, Zhang (Intel) > Kai, Zheng (Intel) > Wei, Wu (Alibaba) > Jun, Song (Alibaba) > Long, Cao (Alibaba) > Zhenyuan, Wei (Alibaba) > > Your review efforts are truly appreciated, please feel free to provide us > your feedback. > > Regards, > Jiajia > > > >
