Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-11717

Add Redirecting WebSSO behavior with JWT Token in Hadoop Auth

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.8.0, 3.0.0-alpha1
    • Component/s: security
    • Labels:
      None
    • Hadoop Flags:
      Reviewed

      Description

      Extend AltKerberosAuthenticationHandler to provide WebSSO flow for UIs.

      The actual authentication is done by some external service that the handler will redirect to when there is no hadoop.auth cookie and no JWT token found in the incoming request.

      Using JWT provides a number of benefits:

      • It is not tied to any specific authentication mechanism - so buys us many SSO integrations
      • It is cryptographically verifiable for determining whether it can be trusted
      • Checking for expiration allows for a limited lifetime and window for compromised use

      This will introduce the use of nimbus-jose-jwt library for processing, validating and parsing JWT tokens.

        Attachments

        1. RedirectingWebSSOwithJWTforHadoopWebUIs.pdf
          234 kB
          Larry McCay
        2. HADOOP-11717-8.patch
          40 kB
          Larry McCay
        3. HADOOP-11717-7.patch
          40 kB
          Larry McCay
        4. HADOOP-11717-6.patch
          41 kB
          Larry McCay
        5. HADOOP-11717-5.patch
          38 kB
          Larry McCay
        6. HADOOP-11717-4.patch
          38 kB
          Larry McCay
        7. HADOOP-11717-3.patch
          38 kB
          Larry McCay
        8. HADOOP-11717-2.patch
          35 kB
          Larry McCay
        9. HADOOP-11717-1.patch
          29 kB
          Larry McCay

          Issue Links

            Activity

              People

              • Assignee:
                lmccay Larry McCay
                Reporter:
                lmccay Larry McCay
              • Votes:
                0 Vote for this issue
                Watchers:
                11 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: