[jira] [Updated] (HADOOP-11766) Generic token authentication support for Hadoop
[ https://issues.apache.org/jira/browse/HADOOP-11766?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jiajia Li updated HADOOP-11766: --- Attachment: HADOOP-11766-V1.patch Uploaded a rough patch illustrating the overall ideas: 1. Defined a generic token interface named {{AuthToken}}, abstracting common token attributes; 2. Implemented {{JwtAuthToken}} and {{CloudFoundryOAuth2Token}}, with corresponding decoders and validators, for checking signature, expiration, audiences and scope. The token decoder and validators are pluggable and configurable; 3. Provided a new {{AuthTokenAuthenticationHandler}} for hadoop Web UI, REST and WebHDFS, that can support the JWT token and cloudfoundry OAuth2 token. > Generic token authentication support for Hadoop > --- > > Key: HADOOP-11766 > URL: https://issues.apache.org/jira/browse/HADOOP-11766 > Project: Hadoop Common > Issue Type: New Feature > Components: security >Reporter: Kai Zheng >Assignee: Kai Zheng > Attachments: HADOOP-11766-V1.patch > > > As a major goal of Rhino project, we proposed *TokenAuth* effort in > HADOOP-9392, where it's to provide a common token authentication framework to > integrate multiple authentication mechanisms, by adding a new > {{AuthenticationMethod}} in lieu of {{KERBEROS}} and {{SIMPLE}}. To minimize > the required changes and risk, we thought of another approach to achieve the > general goals based on Kerberos as Kerberos itself supports a > pre-authentication framework in both spec and implementation, which was > discussed in HADOOP-10959 as *TokenPreauth*. In both approaches, we had > performed workable prototypes covering both command line console and Hadoop > web UI. > As HADOOP-9392 is rather lengthy and heavy, HADOOP-10959 is mostly focused on > the concrete implementation approach based on Kerberos, we open this for more > general and updated discussions about requirement, use cases, and concerns > for the generic token authentication support for Hadoop. We distinguish this > token from existing Hadoop tokens as the token in this discussion is majorly > for the initial and primary authentication. We will refine our existing codes > in HADOOP-9392 and HADOOP-10959, break them down into smaller patches based > on latest trunk. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HADOOP-11766) Generic token authentication support for Hadoop
[ https://issues.apache.org/jira/browse/HADOOP-11766?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Yi Liu updated HADOOP-11766: Assignee: Kai Zheng > Generic token authentication support for Hadoop > --- > > Key: HADOOP-11766 > URL: https://issues.apache.org/jira/browse/HADOOP-11766 > Project: Hadoop Common > Issue Type: New Feature > Components: security >Reporter: Kai Zheng >Assignee: Kai Zheng > > As a major goal of Rhino project, we proposed *TokenAuth* effort in > HADOOP-9392, where it's to provide a common token authentication framework to > integrate multiple authentication mechanisms, by adding a new > {{AuthenticationMethod}} in lieu of {{KERBEROS}} and {{SIMPLE}}. To minimize > the required changes and risk, we thought of another approach to achieve the > general goals based on Kerberos as Kerberos itself supports a > pre-authentication framework in both spec and implementation, which was > discussed in HADOOP-10959 as *TokenPreauth*. In both approaches, we had > performed workable prototypes covering both command line console and Hadoop > web UI. > As HADOOP-9392 is rather lengthy and heavy, HADOOP-10959 is mostly focused on > the concrete implementation approach based on Kerberos, we open this for more > general and updated discussions about requirement, use cases, and concerns > for the generic token authentication support for Hadoop. We distinguish this > token from existing Hadoop tokens as the token in this discussion is majorly > for the initial and primary authentication. We will refine our existing codes > in HADOOP-9392 and HADOOP-10959, break them down into smaller patches based > on latest trunk. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HADOOP-11766) Generic token authentication support for Hadoop
[ https://issues.apache.org/jira/browse/HADOOP-11766?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Kai Zheng updated HADOOP-11766: --- Assignee: (was: Kai Zheng) > Generic token authentication support for Hadoop > --- > > Key: HADOOP-11766 > URL: https://issues.apache.org/jira/browse/HADOOP-11766 > Project: Hadoop Common > Issue Type: New Feature > Components: security >Reporter: Kai Zheng > > As a major goal of Rhino project, we proposed *TokenAuth* effort in > HADOOP-9392, where it's to provide a common token authentication framework to > integrate multiple authentication mechanisms, by adding a new > {{AuthenticationMethod}} in lieu of {{KERBEROS}} and {{SIMPLE}}. To minimize > the required changes and risk, we thought of another approach to achieve the > general goals based on Kerberos as Kerberos itself supports a > pre-authentication framework in both spec and implementation, which was > discussed in HADOOP-10959 as *TokenPreauth*. In both approaches, we had > performed workable prototypes covering both command line console and Hadoop > web UI. > As HADOOP-9392 is rather lengthy and heavy, HADOOP-10959 is mostly focused on > the concrete implementation approach based on Kerberos, we open this for more > general and updated discussions about requirement, use cases, and concerns > for the generic token authentication support for Hadoop. We distinguish this > token from existing Hadoop tokens as the token in this discussion is majorly > for the initial and primary authentication. We will refine our existing codes > in HADOOP-9392 and HADOOP-10959, break them down into smaller patches based > on latest trunk. -- This message was sent by Atlassian JIRA (v6.3.4#6332)