[HADOOP-9392] Token based authentication and Single Sign On - ASF JIRA

Add vote

Voters

Watch issue

Watchers

Create sub-task

Link

Clone

Update Comment Author

Replace String in Comment

Update Comment Visibility

Delete Comments

XML

Word

Printable

JSON

Details

Type: New Feature
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: None
Fix Version/s: None
Component/s: security
Labels:
None

Tags:
Project Rhino

Description

This is an umbrella entry for one of project Rhino’s topic, for details of project Rhino, please refer to https://github.com/intel-hadoop/project-rhino/. The major goal for this entry as described in project Rhino was

“Core, HDFS, ZooKeeper, and HBase currently support Kerberos authentication at the RPC layer, via SASL. However this does not provide valuable attributes such as group membership, classification level, organizational identity, or support for user defined attributes. Hadoop components must interrogate external resources for discovering these attributes and at scale this is problematic. There is also no consistent delegation model. HDFS has a simple delegation capability, and only Oozie can take limited advantage of it. We will implement a common token based authentication framework to decouple internal user and service authentication from external mechanisms used to support it (like Kerberos)”

We’d like to start our work from Hadoop-Common and try to provide common facilities by extending existing authentication framework which support:
1. Pluggable token provider interface
2. Pluggable token verification protocol and interface
3. Security mechanism to distribute secrets in cluster nodes
4. Delegation model of user authentication

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

TokenAuth-breakdown.pdf
30/Jul/13 13:25
306 kB
Kai Zheng
token-based-authn-plus-sso.pdf
02/May/13 16:59
555 kB
Kai Zheng
token-based-authn-plus-sso-v2.0.pdf
03/Jul/13 17:42
838 kB
Kai Zheng

Issue Links

Add Link

is related to

HADOOP-9479 Ability to plugin custom authentication mechanisms based on Jaas and Sasl

In Progress

Delete this link

HADOOP-8779 Use tokens regardless of authentication type

Open

Delete this link

HADOOP-9534 Credential Management Framework (CMF)

Resolved

Delete this link

HADOOP-9296 Authenticating users from different realm without a trust relationship

Resolved

Delete this link

is required by

HADOOP-9466 Unified authorization framework

Open

Delete this link

relates to

HADOOP-9533 Centralized Hadoop SSO/Token Server

Open

Delete this link

HADOOP-11766 Generic token authentication support for Hadoop

Open

Delete this link

HADOOP-14808 Hadoop keychain

Patch Available

Delete this link

HADOOP-9671 Improve Hadoop security - Use cases, Threat Model and Problems

Open

Delete this link

HADOOP-9621 Document/analyze current Hadoop security model

Open

Delete this link

(5 relates to)

Sub-Tasks

Create Sub-Task

1.	Implementing TokenAuth framework and Simple authentication over TokenAuth	Open	Kai Zheng	Actions
2.	Token validation and transmission	Open	Kai Zheng	Actions
3.	Pluggable TokenAuth framework and core facilities	Open	Yi Liu	Actions
4.	Pluggable and compatible UGI change	Open	Kai Zheng	Actions
5.	TokenAuth Implementation - HAS	Open	Unassigned	Actions
6.	TokenAuth Integration	Open	Kai Zheng	Actions
7.	Token definition and API	Patch Available	Yi Liu	Actions
8.	Identity Token Service API	Open	Yi Liu	Actions

Activity

Comment

This comment will be Viewable by All Users Viewable by All Users

Cancel

People

Assignee:: Yi Liu

Reporter:: Kai Zheng

Votes:: 4 Vote for this issue

Watchers:: 66 Start watching this issue

Dates

Created:: 11/Mar/13 11:58

Updated:: 25/Aug/17 17:04

Agile

View on Board

Token based authentication and Single Sign On

Details

Description

Attachments

Attachments

Issue Links

Sub-Tasks

Activity

People

Dates

Agile

Slack

Issue deployment