Details

    • Sub-task
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 3.0.0-alpha1
    • None
    • security

    Description

      HAS is a complete and enterprise ready security solution based on TokenAuth framework proposed by HADOOP-9392 and utilizing the common facilities provided by the framework. It provides all the necessary implementations of entities, interfaces and services defined in the framework that’s required by industrial deployment.

      As a major goal for Rhino, HAS addresses AAA (Authentication, Authorization and Auditing) concerns for Hadoop across the ecosystem. The 'A' of HAS could be explained as "Authentication", "Authorization", or "Auditing", depending on which role(s) HAS is configured with. In high level considerations, we may need Authentication Server, Authorization Server, or Auditing Server, and such servers would be great to be combined into one centralized server, or be deployed separately regarding performance or network concerns. Currently we're mainly focusing on "Authentication" and "Authorization", and these two roles can be configured in one server instance or in separate server instances.

      A more detailed scope of HAS implementation is as follows:

      • Define and implement the common and management facilities shared across the implementation of different services. These include configuration mechanism for services, persistent API and method for loading and storing data, auditing and logging API, shared high availability approach, REST API framework and authentication and so on.
      • Define and implement Authentication Server role for HAS. The authentication server provides identity authentication service and issues identity token. The authentication can be configured with a chain of authentication modules for providing multi-factor authentication ability. By default, we will support AD (as LDAP) / LDAP authentication module and AD (as Kerberos) / Kerberos authentication module.
      • Define and implement Authorization Server role for HAS. The authorization server includes service level authorization, access token issue and fine-grained authorization service.
      • Implement Attribute Service for HAS, to allow integration of third party attribute authorities. The Attribute Service provides the ability to connect and retrieve attributes from different attribute sources such as LDAP or Database.
      • Provides authorization enforcement library for Hadoop services to enforce security policies utilizing related services provided by the Authorization Server. To enforce the fine-grained authorization policies, the policies must be loaded, synchronized, and evaluated at Hadoop side.

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              jerrychenhf Haifeng Chen
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

                Created:
                Updated: