[jira] [Commented] (HADOOP-9653) Token validation and transmission
[ https://issues.apache.org/jira/browse/HADOOP-9653?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13690399#comment-13690399 ] Kevin Minder commented on HADOOP-9653: -- To be a bit more concrete about this how would GSS for SASL and SPNEGO be used for say Ping Federate integration? Token validation and transmission - Key: HADOOP-9653 URL: https://issues.apache.org/jira/browse/HADOOP-9653 Project: Hadoop Common Issue Type: Sub-task Components: security Reporter: Kai Zheng Assignee: Kai Zheng Labels: rhino Fix For: 3.0.0 HADOOP-9392 proposes to have customizable token authenticator for services to implement the TokenAuthn method and it was thought supporting pluggable token validation is a significant feature itself so it serves to be addressed in a separate JIRA. It will also consider how to securely transmit token in Hadoop RPC in a way the defends against all of the classical attacks. Note the authentication negotiation and wrapping of Hadoop RPC should be backwards compatible and interoperable with existing deployments, so therefore be SASL based. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-9653) Token validation and transmission
[ https://issues.apache.org/jira/browse/HADOOP-9653?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13690468#comment-13690468 ] Kai Zheng commented on HADOOP-9653: --- This falls into the 3rd case in situations where SPNEGO might not work for web services, and special filter should be used to contact the IdP like Ping Federate first, get authentication result, exchange identity token and so on. I would discuss about this concrete flow separately. Token validation and transmission - Key: HADOOP-9653 URL: https://issues.apache.org/jira/browse/HADOOP-9653 Project: Hadoop Common Issue Type: Sub-task Components: security Reporter: Kai Zheng Assignee: Kai Zheng Labels: rhino Fix For: 3.0.0 HADOOP-9392 proposes to have customizable token authenticator for services to implement the TokenAuthn method and it was thought supporting pluggable token validation is a significant feature itself so it serves to be addressed in a separate JIRA. It will also consider how to securely transmit token in Hadoop RPC in a way the defends against all of the classical attacks. Note the authentication negotiation and wrapping of Hadoop RPC should be backwards compatible and interoperable with existing deployments, so therefore be SASL based. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-9653) Token validation and transmission
[ https://issues.apache.org/jira/browse/HADOOP-9653?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13689398#comment-13689398 ] Kai Zheng commented on HADOOP-9653: --- At any rate, I have difficulty visualizing how arbitrary token types are going to be presented by the clients for either RPC or HTTP based APIs in a common way. GSS mechanism sure works in SASL RPC framework as we all know; GSS mechanism can also work in SPNEGO process for HttpUrlConnection or browser to access REST interface or web resources; In situations where SPNEGO might not work for web services, special filter should be used to contact IdP to get identity token then requests an access token, and uses that access token to authenticate to the web service. In this case, since the filter and servlets as service are hosted in the same web server, no token transfer is involved. Token validation and transmission - Key: HADOOP-9653 URL: https://issues.apache.org/jira/browse/HADOOP-9653 Project: Hadoop Common Issue Type: Sub-task Components: security Reporter: Kai Zheng Assignee: Kai Zheng Labels: rhino Fix For: 3.0.0 HADOOP-9392 proposes to have customizable token authenticator for services to implement the TokenAuthn method and it was thought supporting pluggable token validation is a significant feature itself so it serves to be addressed in a separate JIRA. It will also consider how to securely transmit token in Hadoop RPC in a way the defends against all of the classical attacks. Note the authentication negotiation and wrapping of Hadoop RPC should be backwards compatible and interoperable with existing deployments, so therefore be SASL based. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-9653) Token validation and transmission
[ https://issues.apache.org/jira/browse/HADOOP-9653?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13687707#comment-13687707 ] Kai Zheng commented on HADOOP-9653: --- To securely transmit token in Hadoop RPC in a way the defends against all of the classical attacks, we might consider SPKM/LIPKEY approach besides the one SASL over SSL mentioned in HADOOP-9533. Both assumes server certificate and optionally client certificate. GSS SPKM/LIPKEY mechanism can fit seamlessly in current SASL RPC authentication framework but might require significant implementation effort. SSL is another option but has compatibility and performance challenges. Any thought here? Token validation and transmission - Key: HADOOP-9653 URL: https://issues.apache.org/jira/browse/HADOOP-9653 Project: Hadoop Common Issue Type: Sub-task Components: security Reporter: Kai Zheng Assignee: Kai Zheng Labels: rhino Fix For: 3.0.0 HADOOP-9392 proposes to have customizable token authenticator for services to implement the TokenAuthn method and it was thought supporting pluggable token validation is a significant feature itself so it serves to be addressed in a separate JIRA. It will also consider how to securely transmit token in Hadoop RPC in a way the defends against all of the classical attacks. Note the authentication negotiation and wrapping of Hadoop RPC should be backwards compatible and interoperable with existing deployments, so therefore be SASL based. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-9653) Token validation and transmission
[ https://issues.apache.org/jira/browse/HADOOP-9653?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13688114#comment-13688114 ] Kevin Minder commented on HADOOP-9653: -- This is of course related to the other token/SSO jiras HADOOP-9533 and HADOOP-9392. I'm not verify familiar with SPKM/LIPKEY but based on a quick look at http://www.ietf.org/rfc/rfc2847.txt the use of GSS-API might be an issue. At any rate, I have difficulty visualizing how arbitrary token types are going to be presented by the clients for either RPC or HTTP based APIs in a common way. It seems more practical to support a single Hadoop identity/service access token at the service level with a trust transfer service that can bridge between external tokens and internal tokens. This gets to the heart of the central vs distributed model discussion. Token validation and transmission - Key: HADOOP-9653 URL: https://issues.apache.org/jira/browse/HADOOP-9653 Project: Hadoop Common Issue Type: Sub-task Components: security Reporter: Kai Zheng Assignee: Kai Zheng Labels: rhino Fix For: 3.0.0 HADOOP-9392 proposes to have customizable token authenticator for services to implement the TokenAuthn method and it was thought supporting pluggable token validation is a significant feature itself so it serves to be addressed in a separate JIRA. It will also consider how to securely transmit token in Hadoop RPC in a way the defends against all of the classical attacks. Note the authentication negotiation and wrapping of Hadoop RPC should be backwards compatible and interoperable with existing deployments, so therefore be SASL based. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira