- Client requests the Authenticator class name
- Client creates instance of Authenticator, calls login(Properties)
- Properties are used to create the appropriate Token, which implements Writable, and return it to user.
- Client uses principal + Token with getConnector call
- Token is immediately serialized to be used within client api and packaged into a Credential object
- Credential gets sent to server via thrift
- Principal is checked, if !SYSTEM treated as a PasswordToken, otherwise deserialized as a class defined by the Authenticator (Writable's readFields method called on said class)
- Token us then passed through the SecurityOperations impl as well as the authenticator api.
This allows the authenticator API to use their requested tokens without confusion/code injection issues with deserialization happening for unknown token classes.
The exact same process for token creation can also be used by the Proxy, with a Map of properties being passed it to create a token on the proxy.
For backward support, the ZKAuthenticator will expect a PasswordToken, which is simply a byte array.