Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-11717

Add Redirecting WebSSO behavior with JWT Token in Hadoop Auth

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 2.8.0, 3.0.0-alpha1
    • security
    • None
    • Reviewed

    Description

      Extend AltKerberosAuthenticationHandler to provide WebSSO flow for UIs.

      The actual authentication is done by some external service that the handler will redirect to when there is no hadoop.auth cookie and no JWT token found in the incoming request.

      Using JWT provides a number of benefits:

      • It is not tied to any specific authentication mechanism - so buys us many SSO integrations
      • It is cryptographically verifiable for determining whether it can be trusted
      • Checking for expiration allows for a limited lifetime and window for compromised use

      This will introduce the use of nimbus-jose-jwt library for processing, validating and parsing JWT tokens.

      Attachments

        1. HADOOP-11717-1.patch
          29 kB
          Larry McCay
        2. HADOOP-11717-2.patch
          35 kB
          Larry McCay
        3. HADOOP-11717-3.patch
          38 kB
          Larry McCay
        4. HADOOP-11717-4.patch
          38 kB
          Larry McCay
        5. HADOOP-11717-5.patch
          38 kB
          Larry McCay
        6. HADOOP-11717-6.patch
          41 kB
          Larry McCay
        7. HADOOP-11717-7.patch
          40 kB
          Larry McCay
        8. HADOOP-11717-8.patch
          40 kB
          Larry McCay
        9. RedirectingWebSSOwithJWTforHadoopWebUIs.pdf
          234 kB
          Larry McCay

        Issue Links

          breaks

          Bug - A problem which impairs or prevents the functions of the product. HADOOP-11846 TestCertificateUtil.testCorruptPEM failing on Jenkins JDK8

          • Major - Major loss of function.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. HADOOP-11864 JWTRedirectAuthenticationHandler breaks java8 javadocs

          • Major - Major loss of function.
          • Resolved
          is related to

          Sub-task - The sub-task of the issue HADOOP-11817 A token authentication handler for Hadoop Web in generic token API

          • Major - Major loss of function.
          • Open

          Improvement - An improvement or enhancement to an existing feature or task. HADOOP-12481 JWTRedirectAuthenticationHandler doesn't Retain Original Query String

          • Major - Major loss of function.
          • Resolved
          relates to

          New Feature - A new feature of the product, which has yet to be developed. HADOOP-10959 A Kerberos based token authentication approach

          • Major - Major loss of function.
          • Open

          New Feature - A new feature of the product, which has yet to be developed. HADOOP-11766 Generic token authentication support for Hadoop

          • Major - Major loss of function.
          • Open

          New Feature - A new feature of the product, which has yet to be developed. HADOOP-15075 Implement KnoxSSO for hadoop web UIs (hdfs, yarn, history server etc.)

          • Major - Major loss of function.
          • Resolved
          mentioned in

          Page Loading...

          Activity

            People

              lmccay Larry McCay
              lmccay Larry McCay
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: