On Mon, Nov 27, 2017 at 6:19 AM, Li, Jiajia <[email protected]> wrote:
> > > We will fix these dependencies soon. One question: I found Apache Hadoop > also using the Jersey, could we using it through adding the license file? > I think Jersey is OK as it is CDDL: https://www.apache.org/legal/resolved.html "Software under the following licenses may be included in binary form within an Apache product if the inclusion is appropriately labeled (see below): - Common Development and Distribution Licenses: CDDL 1.0 <https://opensource.org/licenses/CDDL-1.0> and CDDL 1.1 <https://spdx.org/licenses/CDDL-1.1.html>" Colm. > > > > Plugins, especially "RAM": > > * What does "RAM" mean? > > * The RAM plugin is not included but tests and default config seem to > require it. Classes > org.apache.hadoop.has.plugins.client.aliyun.AliyunHasClientPlugin > and org.apache.hadoop.has.plugins.server.aliyun.AliyunHasServerPlugin are > not available. Will those also be contributed? > > * There is no other (default) implementation of HasClientPlugin. Is the > project still already usable? Or is it only a framework and more > development effort is requried to implement the plugins? > > "RAM" is an example plugin type, It's the name of existing user > authentication system. I think it's universal enough, so I removed all the > code associated with this plugin. This project is a framework, users should > implement their own plugins(including client and server). But we will > provide the default implementation of HasClientPlugin in the future work. > Do you have any suggestions for default plugin? LDAP or others? > > > > Hadoop or Kerby/Directory: > > * The project name includes Hadoop, the Maven groupId is > org.apache.hadoop, Java package names are org.apache.hadoop.has. Was it > planned to contribute this to Hadoop? Or does it make more sense to > contribute it to Hadoop directly? > > No, we won't contribute it to Hadoop. We will change the Maven groupId to > "org.apache.kerby". > > > > * On the other hand it seems to be also useful otherwise, like to > configure Kerby KDC via REST and to be able to plugin other authentication > providers, am I right? Then it totally makes sense to include it into > Kerby. But in that case I'd suggest to change the names. > > Yes, you are right, HAS provides lots of REST APIs to config Kerby KDC, > and the new authentication mechanism is able to plugin the existing user > authentication system. I thinks it's ok to change the name of "HAS" if we > merge it to replace kerby-kdc module to upgrade the Kerby KDC, and do you > have a suggest name? > On the other hand, "HAS" also provides the supports for Hadoop ecosystem, > it's a complete framework for Hadoop Ecosystem, so I think "HAS" is a good > choice if we want to create a standalone module for it. Please correct me > if I am wrong. > > Thanks, > Jiajia > > -----Original Message----- > From: Stefan Seelmann [mailto:[email protected]] > Sent: Sunday, November 26, 2017 12:22 AM > To: Apache Directory Developers List <[email protected]>; > [email protected] > Subject: Re: [DISCUSS] Merge HAS to Apache Kerby > > I browsed the code and documentation, here some notes and questions: > > Was the HAS developed as open source project in public? In readme I see > some links to github.com/intel-bigdata/has but that only gives 404. > > Are all the contributors already ASF committers or have an ICLA on file? > Otherwise I'm afraid IP clearance is required. > > Dependencies: > * MySQL JDBC driver is GPLv2 which is not compatible with Apache. > (alternative: Drizzle JDBC) > * Some dependencies (Jersey, Glassfish) are CDDL licensed which is not > compatible with Apache. (alternatives: CXF, Geronimo) > * For some dependencies I cannot find a license: > com.aliyun:aliyun-java-sdk-core and com.aliyun:aliyun-java-sdk-ram > > Plugins, especially "RAM": > * What does "RAM" mean? > * The RAM plugin is not included but tests and default config seem to > require it. Classes > org.apache.hadoop.has.plugins.client.aliyun.AliyunHasClientPlugin > and org.apache.hadoop.has.plugins.server.aliyun.AliyunHasServerPlugin are > not available. Will those also be contributed? > * There is no other (default) implementation of HasClientPlugin. Is the > project still already usable? Or is it only a framework and more > development effort is requried to implement the plugins? > > Hadoop or Kerby/Directory: > * The project name includes Hadoop, the Maven groupId is > org.apache.hadoop, Java package names are org.apache.hadoop.has. Was it > planned to contribute this to Hadoop? Or does it make more sense to > contribute it to Hadoop directly? > * On the other hand it seems to be also useful otherwise, like to > configure Kerby KDC via REST and to be able to plugin other authentication > providers, am I right? Then it totally makes sense to include it into > Kerby. But in that case I'd suggest to change the names. > > Kind Regards, > Stefan > > > > On 11/24/2017 04:30 AM, Li, Jiajia wrote: > > Hi all, > > > > I would like to post a proposal about merging a new project HAS (Hadoop > Authentication Service) to Apache Kerby. HAS is led by Intel and Alibaba, > it is a solution to support the authentication of open source big data > ecosystem in cloud computing platforms. I've created a new branch > "has-project" in Kerby, HAS is under "has" folder. Please look at > https://github.com/apache/directory-kerby/tree/has-project/has for > details. > > > > Background and motivation: > > At present, the open source big data ecosystems (Hadoop/Spark) only has > the built-in Kerberos support on the security authentication. HAS aims to > build a standalone authentication service for the big data ecosystem that > simplifies the support of Kerberos and allows to use more authentication > methods. > > > > Targets users: > > HAS supports various authentication mechanisms other than just Kerberos, > and it provides a new authentication mechanism can be easy customized and > plugin with existing user authentication and authorization system, and > security admins won't have to migrate and sync up their user accounts to > Kerberos back and forth. > > > > Architecture & Design: > > HAS provides a new authentication mechanism ("Kerberos-based token > authentication"), depending on the "TokenPreauth" provided by Apache Kerby. > Please look at https://github.com/apache/directory-kerby/blob/has- > project/has/README.md for details. > > > > Features: > > 1. Provides new authentication mechanism plugin APIs to customize > and plugin with existing user authentication and authorization system. > Please look at https://github.com/apache/directory-kerby/blob/has- > project/has/README.md for details. > > 2. Provides lots of REST APIs and facility tools to simplify the > support of Kerberos. Kerberos is essentially a protocol, or secure channel, > doesn't have to be that complex to users. Please look at > https://github.com/apache/directory-kerby/blob/has- > project/has/doc/rest-api.md for details. > > 3. Provides MySQL backend for High Availability. Please look at > https://github.com/apache/directory-kerby/blob/has- > project/has/doc/mysql-backend.md for details. > > 4. New authentication mechanism now supports most of the components > of open source big data ecosystem with little or no changes to components, > including HDFS, HBase, Zookeeper, Hive, Spark.... Please look at > https://github.com/apache/directory-kerby/tree/has-project/has/supports > for details. > > > > Practice > > This solution has been deployed in Alibaba Cloud E-MapReduce production. > > > > Why to merge? > > HAS provides a complete Hadoop/Spark authentication framework and > solution based on Kerberos, HAS can help to upgrade Kerby KDC, make it more > solid and stronger. And if HAS can be merged to Apache Kerby, community > will help HAS grow faster and users can more easily using this solution in > their own production. We have two suggestions about how to merge: > > - Option1: > > Create a standalone module "kerby-has", putting HAS project under this > module. > > - Option2: > > Suggest replacing kerby-kdc module with HAS, upgrade the Kerby KDC. > > > > Contributors: > > Jiajia, Li (Intel) > > Lin, Zeng (Intel) > > Zhiqiang, Zhang (Intel) > > Kai, Zheng (Intel) > > Wei, Wu (Alibaba) > > Jun, Song (Alibaba) > > Long, Cao (Alibaba) > > Zhenyuan, Wei (Alibaba) > > > > Your review efforts are truly appreciated, please feel free to provide > us your feedback. > > > > Regards, > > Jiajia > > > > > > > > > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
