Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-12082

Support multiple authentication schemes via AuthenticationFilter

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.6.0
    • Fix Version/s: 2.8.0, 3.0.0-alpha2
    • Component/s: security
    • Labels:
      None

      Description

      The requirement is to support LDAP based authentication scheme via Hadoop AuthenticationFilter. HADOOP-9054 added a support to plug-in custom authentication scheme (in addition to Kerberos) via AltKerberosAuthenticationHandler class. But it is based on selecting the authentication mechanism based on User-Agent HTTP header which does not conform to HTTP protocol semantics.

      As per RFC-2616

      • HTTP protocol provides a simple challenge-response authentication mechanism that can be used by a server to challenge a client request and by a client to provide the necessary authentication information.
      • This mechanism is initiated by server sending the 401 (Authenticate) response with ‘WWW-Authenticate’ header which includes at least one challenge that indicates the authentication scheme(s) and parameters applicable to the Request-URI.
      • In case server supports multiple authentication schemes, it may return multiple challenges with a 401 (Authenticate) response, and each challenge may use a different auth-scheme.
      • A user agent MUST choose to use the strongest auth-scheme it understands and request credentials from the user based upon that challenge.

      The existing Hadoop authentication filter implementation supports Kerberos authentication scheme and uses ‘Negotiate’ as the challenge as part of ‘WWW-Authenticate’ response header. As per the following documentation, ‘Negotiate’ challenge scheme is only applicable to Kerberos (and Windows NTLM) authentication schemes.
      SPNEGO-based Kerberos and NTLM HTTP Authentication
      Understanding HTTP Authentication

      On the other hand for LDAP authentication, typically ‘Basic’ authentication scheme is used (Note TLS is mandatory with Basic authentication scheme).
      http://httpd.apache.org/docs/trunk/mod/mod_authnz_ldap.html

      Hence for this feature, the idea would be to provide a custom implementation of Hadoop AuthenticationHandler and Authenticator interfaces which would support both schemes - Kerberos (via Negotiate auth challenge) and LDAP (via Basic auth challenge). During the authentication phase, it would send both the challenges and let client pick the appropriate one. If client responds with an ‘Authorization’ header tagged with ‘Negotiate’ - it will use Kerberos authentication. If client responds with an ‘Authorization’ header tagged with ‘Basic’ - it will use LDAP authentication.

      Note - some HTTP clients (e.g. curl or Apache Http Java client) need to be configured to use one scheme over the other e.g.

      Typically web browsers automatically choose an authentication scheme based on a notion of “strength” of security. e.g. take a look at the design of Chrome browser for HTTP authentication

        Attachments

        1. HADOOP-12082.patch
          80 kB
          Hrishikesh Gadre
        2. HADOOP-12082-001.patch
          79 kB
          Hrishikesh Gadre
        3. HADOOP-12082-002.patch
          79 kB
          Hrishikesh Gadre
        4. HADOOP-12082-003.patch
          80 kB
          Hrishikesh Gadre
        5. HADOOP-12082-004.patch
          80 kB
          Hrishikesh Gadre
        6. HADOOP-12082-005.patch
          82 kB
          Hrishikesh Gadre
        7. HADOOP-12082-006.patch
          82 kB
          Hrishikesh Gadre
        8. HADOOP-12082-branch-2.8.patch
          81 kB
          Hrishikesh Gadre
        9. HADOOP-12082-branch-2.8-001.patch
          81 kB
          Hrishikesh Gadre
        10. HADOOP-12082-branch-2.8-002.patch
          81 kB
          Hrishikesh Gadre
        11. HADOOP-12082-branch-2.patch
          81 kB
          Hrishikesh Gadre
        12. HADOOP-12082-branch-2-001.patch
          81 kB
          Hrishikesh Gadre
        13. HADOOP-12082-branch-2-002.patch
          81 kB
          Hrishikesh Gadre
        14. HADOOP-12082-branch-2-003.patch
          81 kB
          Hrishikesh Gadre
        15. hadoop-ldap.patch
          14 kB
          Hrishikesh Gadre
        16. hadoop-ldap-auth-v2.patch
          43 kB
          Hrishikesh Gadre
        17. hadoop-ldap-auth-v3.patch
          61 kB
          Hrishikesh Gadre
        18. hadoop-ldap-auth-v4.patch
          59 kB
          Hrishikesh Gadre
        19. hadoop-ldap-auth-v5.patch
          70 kB
          Hrishikesh Gadre
        20. hadoop-ldap-auth-v6.patch
          78 kB
          Hrishikesh Gadre
        21. multi-scheme-auth-support-poc.patch
          7 kB
          Hrishikesh Gadre

          Issue Links

            Activity

              People

              • Assignee:
                hgadre Hrishikesh Gadre
                Reporter:
                hgadre Hrishikesh Gadre
              • Votes:
                1 Vote for this issue
                Watchers:
                25 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: