You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Larry McCay (JIRA)" <ji...@apache.org> on 2013/11/01 15:11:20 UTC

[jira] [Commented] (HADOOP-9804) Hadoop RPC TokenAuthn method

    [ https://issues.apache.org/jira/browse/HADOOP-9804?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13811266#comment-13811266 ] 

Larry McCay commented on HADOOP-9804:
-------------------------------------

It seems from various discussions that we have had on the mailing lists and at Hadoop Summit 2013 that what folks want is the ability for the services to continue to authenticate via kerberos and allow user authentication to happen via some pluggable way. I am curious what this will mean for:

* negotiation - does the negotiation allow for selecting different methods
* if the both choose TokenAuth (or whatever the name becomes) and they can be configured to realize the token in different ways than I guess the negotiation isn't an issue
* the ability for a client side authentication in the SASL layer to authenticate via LDAP - for instance - and the server side in the SASL layer to authenticate via kerberos
* do we have each authenticate and present a canonical token to each other here 
* does this described scenario necessitate changes in the current patch here

> Hadoop RPC TokenAuthn method
> ----------------------------
>
>                 Key: HADOOP-9804
>                 URL: https://issues.apache.org/jira/browse/HADOOP-9804
>             Project: Hadoop Common
>          Issue Type: Task
>          Components: security
>            Reporter: Kai Zheng
>            Assignee: Kai Zheng
>              Labels: TokenAuth
>             Fix For: 3.0.0
>
>         Attachments: HADOOP-9804-v1.patch
>
>
> As defined in TokenAuth framework, TokenAuthn as a new authentication method is to be added in current Hadoop SASL authentication framework, to allow client to access service with access token. The scope of this is as follows: 
>  
> * Add a new SASL mechanism for TokenAuthn method, including necessary SASL client and SASL server with corresponding callbacks;
> * Add TokenAuthn method in UGI and allow the method to be configured for Hadoop and the ecosystem;
> * Allow TokenAuthn method to be negotiated between client and server;
> * Define the IDP-initiated flow and SP-initiated flow in the RPC access;
> * Allow access token to be negotiated between client and server, considering both IDP-initiated case and SP-initiated case. 



--
This message was sent by Atlassian JIRA
(v6.1#6144)