[jira] [Updated] (HADOOP-11766) Generic token authentication support for Hadoop
[
https://issues.apache.org/jira/browse/HADOOP-11766?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jiajia Li updated HADOOP-11766:
---
Attachment: HADOOP-11766-V1.patch
Uploaded a rough patch illustrating the overall ideas:
1. Defined a generic token interface named {{AuthToken}}, abstracting common
token attributes;
2. Implemented {{JwtAuthToken}} and {{CloudFoundryOAuth2Token}}, with
corresponding decoders and validators, for checking signature, expiration,
audiences and scope. The token decoder and validators are pluggable and
configurable;
3. Provided a new {{AuthTokenAuthenticationHandler}} for hadoop Web UI, REST
and WebHDFS, that can support the JWT token and cloudfoundry OAuth2 token.
> Generic token authentication support for Hadoop
> ---
>
> Key: HADOOP-11766
> URL: https://issues.apache.org/jira/browse/HADOOP-11766
> Project: Hadoop Common
> Issue Type: New Feature
> Components: security
>Reporter: Kai Zheng
>Assignee: Kai Zheng
> Attachments: HADOOP-11766-V1.patch
>
>
> As a major goal of Rhino project, we proposed *TokenAuth* effort in
> HADOOP-9392, where it's to provide a common token authentication framework to
> integrate multiple authentication mechanisms, by adding a new
> {{AuthenticationMethod}} in lieu of {{KERBEROS}} and {{SIMPLE}}. To minimize
> the required changes and risk, we thought of another approach to achieve the
> general goals based on Kerberos as Kerberos itself supports a
> pre-authentication framework in both spec and implementation, which was
> discussed in HADOOP-10959 as *TokenPreauth*. In both approaches, we had
> performed workable prototypes covering both command line console and Hadoop
> web UI.
> As HADOOP-9392 is rather lengthy and heavy, HADOOP-10959 is mostly focused on
> the concrete implementation approach based on Kerberos, we open this for more
> general and updated discussions about requirement, use cases, and concerns
> for the generic token authentication support for Hadoop. We distinguish this
> token from existing Hadoop tokens as the token in this discussion is majorly
> for the initial and primary authentication. We will refine our existing codes
> in HADOOP-9392 and HADOOP-10959, break them down into smaller patches based
> on latest trunk.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Updated] (HADOOP-11766) Generic token authentication support for Hadoop
[
https://issues.apache.org/jira/browse/HADOOP-11766?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Yi Liu updated HADOOP-11766:
Assignee: Kai Zheng
> Generic token authentication support for Hadoop
> ---
>
> Key: HADOOP-11766
> URL: https://issues.apache.org/jira/browse/HADOOP-11766
> Project: Hadoop Common
> Issue Type: New Feature
> Components: security
>Reporter: Kai Zheng
>Assignee: Kai Zheng
>
> As a major goal of Rhino project, we proposed *TokenAuth* effort in
> HADOOP-9392, where it's to provide a common token authentication framework to
> integrate multiple authentication mechanisms, by adding a new
> {{AuthenticationMethod}} in lieu of {{KERBEROS}} and {{SIMPLE}}. To minimize
> the required changes and risk, we thought of another approach to achieve the
> general goals based on Kerberos as Kerberos itself supports a
> pre-authentication framework in both spec and implementation, which was
> discussed in HADOOP-10959 as *TokenPreauth*. In both approaches, we had
> performed workable prototypes covering both command line console and Hadoop
> web UI.
> As HADOOP-9392 is rather lengthy and heavy, HADOOP-10959 is mostly focused on
> the concrete implementation approach based on Kerberos, we open this for more
> general and updated discussions about requirement, use cases, and concerns
> for the generic token authentication support for Hadoop. We distinguish this
> token from existing Hadoop tokens as the token in this discussion is majorly
> for the initial and primary authentication. We will refine our existing codes
> in HADOOP-9392 and HADOOP-10959, break them down into smaller patches based
> on latest trunk.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Updated] (HADOOP-11766) Generic token authentication support for Hadoop
[
https://issues.apache.org/jira/browse/HADOOP-11766?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Kai Zheng updated HADOOP-11766:
---
Assignee: (was: Kai Zheng)
> Generic token authentication support for Hadoop
> ---
>
> Key: HADOOP-11766
> URL: https://issues.apache.org/jira/browse/HADOOP-11766
> Project: Hadoop Common
> Issue Type: New Feature
> Components: security
>Reporter: Kai Zheng
>
> As a major goal of Rhino project, we proposed *TokenAuth* effort in
> HADOOP-9392, where it's to provide a common token authentication framework to
> integrate multiple authentication mechanisms, by adding a new
> {{AuthenticationMethod}} in lieu of {{KERBEROS}} and {{SIMPLE}}. To minimize
> the required changes and risk, we thought of another approach to achieve the
> general goals based on Kerberos as Kerberos itself supports a
> pre-authentication framework in both spec and implementation, which was
> discussed in HADOOP-10959 as *TokenPreauth*. In both approaches, we had
> performed workable prototypes covering both command line console and Hadoop
> web UI.
> As HADOOP-9392 is rather lengthy and heavy, HADOOP-10959 is mostly focused on
> the concrete implementation approach based on Kerberos, we open this for more
> general and updated discussions about requirement, use cases, and concerns
> for the generic token authentication support for Hadoop. We distinguish this
> token from existing Hadoop tokens as the token in this discussion is majorly
> for the initial and primary authentication. We will refine our existing codes
> in HADOOP-9392 and HADOOP-10959, break them down into smaller patches based
> on latest trunk.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
