@Min I added you as a watcher on this issue I hope you do not mind.
At Hadoop world NYC I got to listen to Owen O'Malley do his presentation on Hadoop security. He also took some time to answer some questions for me.
In summary Hadoop 0.22 is going to have authentication at the RPC layer. This can be turned on and turned off through configuration in Hadoop. This authentication will be able to use Kerberos or active directories kerberos implementation.
DFS is the easy case. You authenticate directly to it.
MapReduce is another beast. The job tracker/task tracker will have to run jobs as the user on the system! So my jobs will be run from my posix account ( I am not sure if this is inplace on only the JobTracker or the TaskTracker as well)
Programs that act as proxies like JobTracker might need a binary shim that starts them as root user then drops to a hadoop users, this is also required to run jobs as that user.
"Why kerberos?" I asked him. Kerberos allows a ticket to be created and attached to you session. This is because kerberos can create you a ticket that you can then pass onto the job tracker for example. Otherwise you would have to password/key on the job tracker itself which would be nasty to put your password in a jobconf.
So, it seems like proxy type applications like HWI and HiveServer may have to take some part in passing around the kerberos tickets.
The hadoop WebInterfaces will use Kerberos as well. SPNEGO is a protocol for this and it has good cross browser support. So that is the future...