Hi Colm, >>>These are the backends for retrieving the user credentials right? I meant >>>what are the different credentials we support - obviously user/password, but >>>do we support logging in using various tokens?
What user credentials to use depends on the implementation of the plugin, MySQL plugin and LDAP pluin using user/password for user credentials. Now we don't support create token as user credential, we only change the user credential to AuthToken . If a company has their identity management system(using token for authentication and this system can issue the token to user), they should implement the following client/server plugin interface to connect the existing authentication system. HAS client plugin HasClientPlugin: // Get the login module type ID, used to distinguish this module from others. // Should correspond to the server side module. String getLoginType() // Perform all the client side login logics, the results wrapped in an AuthToken, // will be validated by HAS server. AuthToken login(Conf loginConf) throws HasLoginException HAS server plugin HasServerPlugin: // Get the login module type ID, used to distinguish this module from others. // Should correspond to the client side module. String getLoginType() // Perform all the server side authentication logics, the results wrapped in an AuthToken, // will be used to exchange a Kerberos ticket. AuthToken authenticate(AuthToken userToken) throws HasAuthenException >>> For both kdc-dist + tool-dist I can build a distribution containing the >>> required jars. How does it work for HAS? HAS can be the same as the kdc-dist + tool-dist. Thanks, Jiajia From: Colm O hEigeartaigh [mailto:cohei...@apache.org] Sent: Saturday, September 8, 2018 12:41 AM To: Li, Jiajia <jiajia...@intel.com> Cc: kerby@directory.apache.org Subject: Re: Kerby 2.0.0 Hi Jiajia, On Fri, Sep 7, 2018 at 6:26 AM Li, Jiajia <jiajia...@intel.com<mailto:jiajia...@intel.com>> wrote: Hi Colm, >>>How many different types of client login are supported by the client plugin >>>"out of the box"? HAS supports two plugin types: MySQL[1] and LDAP[2] These are the backends for retrieving the user credentials right? I meant what are the different credentials we support - obviously user/password, but do we support logging in using various tokens? Thanks for your reminder, we use "assembly.xml" the same as the file under kdc-dist and tool-dist, I'm not sure should we add the dependency jars in zip/tar/tar.gz for kdc-dist and tool-dist? For both kdc-dist + tool-dist I can build a distribution containing the required jars. How does it work for HAS? Yes, the Hadoop should have the patch(https://github.com/apache/directory-kerby/blob/trunk/has-project/supports/hadoop/hadoop-2.7.2.patch), this patch let Hadoop Client using HasLoginModule to replace the Krb5LoginModule. In addition to using Credential cache and Keytab for JAAS login, we have added the new login method in HasLoginModule. This new login method will call the HasClient, then HasClient will select the configured plugin to login, after successful login, Kerby KDC will issue a Kerberos ticket, as you said "swapping a non-kerberos credential for a kerberos ticket". In conclusion, the changes in the Hadoop is for Hadoop Client using the new authentication method. OK now I understand thanks. Colm. Thanks, Jiajia From: Colm O hEigeartaigh [mailto:cohei...@apache.org<mailto:cohei...@apache.org>] Sent: Friday, September 7, 2018 12:24 AM To: Li, Jiajia <jiajia...@intel.com<mailto:jiajia...@intel.com>> Cc: kerby@directory.apache.org<mailto:kerby@directory.apache.org> Subject: Re: Kerby 2.0.0 Hi Jiajia, How many different types of client login are supported by the client plugin "out of the box"? How do I build the distribution? Running "mvn clean install" in "directory-kerby/kerby-dist/has-dist" results in target/has-dist-2.0.0-SNAPSHOT.zip with no jars. Is it still necessary to patch Hadoop as per (https://github.com/apache/directory-kerby/blob/trunk/has-project/supports/hadoop/README.md)? I'm wondering why it's necessary to configure Hadoop for "HAS" at all, given that in the diagram we are just sending a kerberos ticket to Hadoop as we normally would? I thought the idea was that HAS enables you to log on to Hadoop by swapping a non-kerberos credential for a kerberos ticket, maybe I misunderstood? Colm. Colm. On Mon, Aug 27, 2018 at 8:34 AM Li, Jiajia <jiajia...@intel.com<mailto:jiajia...@intel.com>> wrote: Hi Colm, Thanks for taking time to review. >a) [WARNING] 'dependencies.dependency.version' for org.json:json:jar is either >LATEST or RELEASE (both of them are being deprecated) @ >org.apache.kerby:has-tool:[unknown-version], >/home/colm/src/apache/directory-kerby/kerby-tool/has-tool/pom.xml, line 48, >column 22 I've removed the org.json dependency. >b) Should Hadoop 3.0.0 be updated to 3.0.3? >Does the "HAS project" build a distribution? If so have you followed the steps >to include the license/copyright issues as per the existing Kerby >distributions? The Hadoop version has been upgraded to 3.0.3. "HAS project" will build a distribution, here is the license folder: https://github.com/apache/directory-kerby/tree/trunk/kerby-dist/has-dist/licenses Thanks, Jiajia -----Original Message----- From: Colm O hEigeartaigh [mailto:cohei...@apache.org<mailto:cohei...@apache.org>] Sent: Monday, August 13, 2018 8:49 PM To: kerby@directory.apache.org<mailto:kerby@directory.apache.org> Subject: Re: Kerby 2.0.0 OK thanks, give me a few days to review it. Two issues I noticed: a) [WARNING] 'dependencies.dependency.version' for org.json:json:jar is either LATEST or RELEASE (both of them are being deprecated) @ org.apache.kerby:has-tool:[unknown-version], /home/colm/src/apache/directory-kerby/kerby-tool/has-tool/pom.xml, line 48, column 22 b) Should Hadoop 3.0.0 be updated to 3.0.3? Does the "HAS project" build a distribution? If so have you followed the steps to include the license/copyright issues as per the existing Kerby distributions? Colm. On Fri, Aug 10, 2018 at 8:02 AM, Li, Jiajia <jiajia...@intel.com<mailto:jiajia...@intel.com>> wrote: > Hi all, > > We have finished all the taskes for Kerby major release(2.0.0), and > here is the "getting started" for HAS: > https://github.com/apache/directory-kerby/blob/trunk/ > has-project/docs/has-start.md > > > Thanks, > Jiajia > > -----Original Message----- > From: Li, Jiajia [mailto:jiajia...@intel.com<mailto:jiajia...@intel.com>] > Sent: Thursday, June 21, 2018 9:11 AM > To: kerby@directory.apache.org<mailto:kerby@directory.apache.org>; > cohei...@apache.org<mailto:cohei...@apache.org> > Subject: RE: Kerby 2.0.0 > > >> Yes that seems reasonable to me. I think the documentation part is > >> critical > >> - we need some "getting started" type tutorials to explain how to > >> use > the product. > > Agree with you, it's also in our plan. > > Regards, > Jiajia > > -----Original Message----- > From: Colm O hEigeartaigh > [mailto:cohei...@apache.org<mailto:cohei...@apache.org>] > Sent: Wednesday, June 20, 2018 7:02 PM > To: kerby@directory.apache.org<mailto:kerby@directory.apache.org> > Subject: Re: Kerby 2.0.0 > > Yes that seems reasonable to me. I think the documentation part is > critical > - we need some "getting started" type tutorials to explain how to use > the product. > > Colm. > > On Wed, Jun 20, 2018 at 9:08 AM, Li, Jiajia > <jiajia...@intel.com<mailto:jiajia...@intel.com>> wrote: > > > > > Hi all, > > > > We discussed "Merge HAS to Apache Kerby" in November last year. We > > started the merging process in DIRKRB-671(https://issues. > > apache.org/jira/browse/DIRKRB-671<http://apache.org/jira/browse/DIRKRB-671>) > > and we also added some new > > features(such as MySQL plugin) during this process. Now the merging > > process is coming to an end, we're thinking about a new Kerby major > > release(2.0.0) with HAS after completing the following tasks: > > > > 1. We added MySQL plugin as the default plugin, it's better to add > > more plugins(such as LDAP plugin). > > 2. The remote admin through REST API should support more commands. > > 3. Add more documents > > 4. Testing > > > > How do you think about this? > > > > > > Regards, > > Jiajia > > > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
