You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Kai Zheng (JIRA)" <ji...@apache.org> on 2013/09/03 08:53:53 UTC
[jira] [Commented] (HADOOP-9671) Improve Hadoop security - Use
cases, Threat Model and Problems
[ https://issues.apache.org/jira/browse/HADOOP-9671?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13756397#comment-13756397 ]
Kai Zheng commented on HADOOP-9671:
-----------------------------------
bq. I assume that "common token" is the one issued by the newly proposed Hadoop Authentication Server (HAS). Do you mean that we need to replace the delegation token and the blocks tokens with it?
Right. The “common token” mentioned in the requirement is the one issued by HAS. As we have already discussed in HADOOP-9392, HAS token can coexist with existing Hadoop tokens (delegation token, block token etc.) and in current phase we do not propose to replace Hadoop existing tokens with the new one. In the future we might consider that as an improvement and unify Hadoop existing tokens with the fundamental infrastructures and facilities provided by HAS.
bq. What is are the "new authentication method" and the "concrete authentication method"?
The mentioned “new authentication method” is the proposed TokenAuthn method to be added in current Hadoop SASL/RPC framework in lieu of ‘simple’ and ‘kerberos’. This new authentication method (TokenAuthn) bridges kinds of concrete authentication mechanisms to Hadoop for traditional IdPs and identity back ends like SQL/JDBC, AD/LDAP, Web SSO products and etc. In this way, Hadoop only needs to understand the TokenAuthn method, without bothering to understand concrete authentication providers like AD/LDAP.
bq. Can you expand on this and also give an example. I got it that the token will contain both the main principal and also the group membership based on the discussion on other Jiras. Do you mean more than that?
By default TokenAuth framework will define some attributes to be contained in the token, as to which attributes to put into, how about we discuss that in HADOOP-9836 regarding token definition and API? Besides that, more attributes can be provisioned into the token from Attribute Service by employing security policies.
bq. Hadoop supports this today. Did want to do something different?
Yes Hadoop supports proxy today, and to stay consistent with it TokenAuth framework and HAS implementation was introduced with plugin support for various IdPs, to support proxy in terms of the token. Please reference the design doc for the complete flow and description regarding it. Thanks.
> Improve Hadoop security - Use cases, Threat Model and Problems
> --------------------------------------------------------------
>
> Key: HADOOP-9671
> URL: https://issues.apache.org/jira/browse/HADOOP-9671
> Project: Hadoop Common
> Issue Type: Improvement
> Reporter: Sanjay Radia
>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira