Hi Jiajia,
Le 24/11/2017 à 04:30, Li, Jiajia a écrit : > Hi all, > > I would like to post a proposal about merging a new project HAS (Hadoop > Authentication Service) to Apache Kerby. HAS is led by Intel and Alibaba, it > is a solution to support the authentication of open source big data ecosystem > in cloud computing platforms. I've created a new branch "has-project" in > Kerby, HAS is under "has" folder. Please look at > https://github.com/apache/directory-kerby/tree/has-project/has for details. Is there some information on HAS, before it was added in a branch ? Typically, where does it come from (ie, the history), specs, documentation, etc ? > > Background and motivation: > At present, the open source big data ecosystems (Hadoop/Spark) only has the > built-in Kerberos support on the security authentication. HAS aims to build a > standalone authentication service for the big data ecosystem that simplifies > the support of Kerberos and allows to use more authentication methods. > > Targets users: > HAS supports various authentication mechanisms other than just Kerberos, and > it provides a new authentication mechanism can be easy customized and plugin > with existing user authentication and authorization system, and security > admins won't have to migrate and sync up their user accounts to Kerberos back > and forth. > > Architecture & Design: > HAS provides a new authentication mechanism ("Kerberos-based token > authentication"), depending on the "TokenPreauth" provided by Apache Kerby. > Please look at > https://github.com/apache/directory-kerby/blob/has-project/has/README.md for > details. > > Features: > 1. Provides new authentication mechanism plugin APIs to customize and > plugin with existing user authentication and authorization system. Please > look at > https://github.com/apache/directory-kerby/blob/has-project/has/README.md for > details. > 2. Provides lots of REST APIs and facility tools to simplify the support > of Kerberos. Kerberos is essentially a protocol, or secure channel, doesn't > have to be that complex to users. Please look at > https://github.com/apache/directory-kerby/blob/has-project/has/doc/rest-api.md > for details. > 3. Provides MySQL backend for High Availability. Please look at > https://github.com/apache/directory-kerby/blob/has-project/has/doc/mysql-backend.md > for details. > 4. New authentication mechanism now supports most of the components of > open source big data ecosystem with little or no changes to components, > including HDFS, HBase, Zookeeper, Hive, Spark.... Please look at > https://github.com/apache/directory-kerby/tree/has-project/has/supports for > details. > > Practice > This solution has been deployed in Alibaba Cloud E-MapReduce production. > > Why to merge? > HAS provides a complete Hadoop/Spark authentication framework and solution > based on Kerberos, HAS can help to upgrade Kerby KDC, make it more solid and > stronger. And if HAS can be merged to Apache Kerby, community will help HAS > grow faster and users can more easily using this solution in their own > production. We have two suggestions about how to merge: > - Option1: > Create a standalone module "kerby-has", putting HAS project under this module. > - Option2: > Suggest replacing kerby-kdc module with HAS, upgrade the Kerby KDC. > > Contributors: > Jiajia, Li (Intel) > Lin, Zeng (Intel) > Zhiqiang, Zhang (Intel) > Kai, Zheng (Intel) > Wei, Wu (Alibaba) > Jun, Song (Alibaba) > Long, Cao (Alibaba) > Zhenyuan, Wei (Alibaba) We would really need ICLA for each of those controbutors who haven't already sent one, and most certain a CCLA from Intel and Alibaba. Otherwise, assuming we check teh code base is 'safe ' (ie no problem with any of its dependency, and clean copyright), I would say I won't oppose to such a move. Keep in mind that the real key here is the maintenance of this piece of code in the long run, too... Thanks ! -- Emmanuel Lecharny Symas.com directory.apache.org
