[HADOOP-9392] Token based authentication and Single Sign On - ASF JIRA

XML

Word

Printable

JSON

Details

Type: New Feature
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: None
Fix Version/s: None
Component/s: security
Labels:
None

Tags:
Project Rhino

Description

This is an umbrella entry for one of project Rhino’s topic, for details of project Rhino, please refer to https://github.com/intel-hadoop/project-rhino/. The major goal for this entry as described in project Rhino was

“Core, HDFS, ZooKeeper, and HBase currently support Kerberos authentication at the RPC layer, via SASL. However this does not provide valuable attributes such as group membership, classification level, organizational identity, or support for user defined attributes. Hadoop components must interrogate external resources for discovering these attributes and at scale this is problematic. There is also no consistent delegation model. HDFS has a simple delegation capability, and only Oozie can take limited advantage of it. We will implement a common token based authentication framework to decouple internal user and service authentication from external mechanisms used to support it (like Kerberos)”

We’d like to start our work from Hadoop-Common and try to provide common facilities by extending existing authentication framework which support:
1. Pluggable token provider interface
2. Pluggable token verification protocol and interface
3. Security mechanism to distribute secrets in cluster nodes
4. Delegation model of user authentication

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

token-based-authn-plus-sso-v2.0.pdf
03/Jul/13 17:42
838 kB
Kai Zheng
token-based-authn-plus-sso.pdf
02/May/13 16:59
555 kB
Kai Zheng
TokenAuth-breakdown.pdf
30/Jul/13 13:25
306 kB
Kai Zheng

Issue Links

is related to

HADOOP-9479 Ability to plugin custom authentication mechanisms based on Jaas and Sasl

In Progress

HADOOP-8779 Use tokens regardless of authentication type

Open

HADOOP-9534 Credential Management Framework (CMF)

Resolved

HADOOP-9296 Authenticating users from different realm without a trust relationship

Resolved

is required by

HADOOP-9466 Unified authorization framework

Open

relates to

HADOOP-9533 Centralized Hadoop SSO/Token Server

Open

HADOOP-11766 Generic token authentication support for Hadoop

Open

HADOOP-14808 Hadoop keychain

Patch Available

HADOOP-9671 Improve Hadoop security - Use cases, Threat Model and Problems

Open

HADOOP-9621 Document/analyze current Hadoop security model

Open

(5 relates to)

Sub-Tasks

1.	Implementing TokenAuth framework and Simple authentication over TokenAuth	Open	Kai Zheng
2.	Token validation and transmission	Open	Kai Zheng
3.	Pluggable TokenAuth framework and core facilities	Open	Yi Liu
4.	Pluggable and compatible UGI change	Open	Kai Zheng
5.	TokenAuth Implementation - HAS	Open	Unassigned
6.	TokenAuth Integration	Open	Kai Zheng
7.	Token definition and API	Patch Available	Yi Liu
8.	Identity Token Service API	Open	Yi Liu

Activity

People

Assignee:: Yi Liu

Reporter:: Kai Zheng

Votes:: 4 Vote for this issue

Watchers:: 66 Start watching this issue

Dates

Created:: 11/Mar/13 11:58

Updated:: 25/Aug/17 17:04