Hi all,
I would like to post a proposal about merging a new project HAS (Hadoop
Authentication Service) to Apache Kerby. HAS is led by Intel and Alibaba, it is
a solution to support the authentication of open source big data ecosystem in
cloud computing platforms. I've created a new branch "has-project" in Kerby,
HAS is under "has" folder. Please look at
https://github.com/apache/directory-kerby/tree/has-project/has for details.
Background and motivation:
At present, the open source big data ecosystems (Hadoop/Spark) only has the
built-in Kerberos support on the security authentication. HAS aims to build a
standalone authentication service for the big data ecosystem that simplifies
the support of Kerberos and allows to use more authentication methods.
Targets users:
HAS supports various authentication mechanisms other than just Kerberos, and it
provides a new authentication mechanism can be easy customized and plugin with
existing user authentication and authorization system, and security admins
won't have to migrate and sync up their user accounts to Kerberos back and
forth.
Architecture & Design:
HAS provides a new authentication mechanism ("Kerberos-based token
authentication"), depending on the "TokenPreauth" provided by Apache Kerby.
Please look at
https://github.com/apache/directory-kerby/blob/has-project/has/README.md for
details.
Features:
1. Provides new authentication mechanism plugin APIs to customize and
plugin with existing user authentication and authorization system. Please look
at https://github.com/apache/directory-kerby/blob/has-project/has/README.md for
details.
2. Provides lots of REST APIs and facility tools to simplify the support
of Kerberos. Kerberos is essentially a protocol, or secure channel, doesn't
have to be that complex to users. Please look at
https://github.com/apache/directory-kerby/blob/has-project/has/doc/rest-api.md
for details.
3. Provides MySQL backend for High Availability. Please look at
https://github.com/apache/directory-kerby/blob/has-project/has/doc/mysql-backend.md
for details.
4. New authentication mechanism now supports most of the components of
open source big data ecosystem with little or no changes to components,
including HDFS, HBase, Zookeeper, Hive, Spark.... Please look at
https://github.com/apache/directory-kerby/tree/has-project/has/supports for
details.
Practice
This solution has been deployed in Alibaba Cloud E-MapReduce production.
Why to merge?
HAS provides a complete Hadoop/Spark authentication framework and solution
based on Kerberos, HAS can help to upgrade Kerby KDC, make it more solid and
stronger. And if HAS can be merged to Apache Kerby, community will help HAS
grow faster and users can more easily using this solution in their own
production. We have two suggestions about how to merge:
- Option1:
Create a standalone module "kerby-has", putting HAS project under this module.
- Option2:
Suggest replacing kerby-kdc module with HAS, upgrade the Kerby KDC.
Contributors:
Jiajia, Li (Intel)
Lin, Zeng (Intel)
Zhiqiang, Zhang (Intel)
Kai, Zheng (Intel)
Wei, Wu (Alibaba)
Jun, Song (Alibaba)
Long, Cao (Alibaba)
Zhenyuan, Wei (Alibaba)
Your review efforts are truly appreciated, please feel free to provide us your
feedback.
Regards,
Jiajia
