Affects Version/s: None
Fix Version/s: None
As discussed in HADOOP-9392, we're proposing a pluggable TokenAuth framework to abstract and address the requirements, goals and collaboration concerns already widely discussed in the JIRA with the design doc, and in community. In this JIRA, we'll:
- Define the framework itself, and clarifies the key goals, properties, and facilities that this framework should meet with and provide. Most of the points have already been explained in HADOOP-9392 and the TokenAuth design doc. To collaborate with HSSO and more importantly to allow other solutions, TokenAuth itself is just defined as a framework with required APIs, protocols, flows, and facilities along with some simple implementations for related constructs, entities and even services. The framework is neutral, no vendor specific, and subject to be widely discussed and defined together as a common effort of community. As the most important key point, the framework should be pluggable in all the key places to allow certain solutions to employ their own product level implementations. Based on this framework, Rhino will come up HAS solution. The framework related discussions in high level aspects can be in this separate umbrella JIRA, and sub task JIRAs will be opened to address each aspect of the framework.
- Define APIs for all the important entities and parties involved in TokenAuth framework.
- Define important procedures and protocols, for example, the protocol between token authn client and server.
- Implement this framework with the defined APIs, procedures and protocols. Meanwhile, leave pluggable extension points in key places for solutions to customize and implement with their own complicated mechanisms.
- Initially, we have the following items for the framework. It’s to be complemented. Each of the items will be defined and discussed separately in corresponding subtask JIRA.
- Token definition and API;
- TokenAuthn method for Hadoop RPC;
- Authentication Service API;
- Identity Token Service API;
- Access Token Service API;
- Attribute Service API;
- Token authentication client;
- Token cache for TokenAuth;
- Common configuration for TokenAuth;
- Hadoop token command;
- Key Provider API;
- Web SSO for TokenAuth;
- REST SSO for TokenAuth;
- Auditing for TokenAuth;
- And etc.