[jira] [Commented] (HADOOP-8758) Support for pluggable token implementations

[Daryn Sharp (JIRA)]

    [ 
https://issues.apache.org/jira/browse/HADOOP-8758?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13450662#comment-13450662
 ] 

Daryn Sharp commented on HADOOP-8758:
-------------------------------------

I've been experimenting with allowing simple auth to issue and allow tokens, 
but not require them for backwards compat.  I am very excited to find it isn't 
very hard to modify the NN/DFS and prove it works via {{FsShell}}.  However a 
lot of {{UGI.isSecurityEnabled()}} throughout hadoop need to be visited.

I'll file another jira, probably with sub-tasks to keep it simple -- no pun 
intended.  This work will require the removal hardcoded assumptions of kerberos 
which should make pluggable authentication much easier.

                
> Support for pluggable token implementations
> -------------------------------------------
>
>                 Key: HADOOP-8758
>                 URL: https://issues.apache.org/jira/browse/HADOOP-8758
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: ipc, security
>            Reporter: Kan Zhang
>            Assignee: Kan Zhang
>
> Variants of the delegation token mechanism have been employed by different 
> Hadoop services (NN, JT, RM, etc) to re-authenticate a previously 
> Kerberos-authenticated client. While existing delegation token mechanism 
> compliments Kerberos well, it doesn't necessarily have to be coupled with 
> Kerberos. In principle, delegation tokens can be coupled with any 
> authentication mechanism that bootstraps security. In particular, it can be 
> coupled with other token implementations that use the same DIGEST-MD5 auth 
> method. For example, a token can be pre-generated in an out-of-band manner 
> and configured as a shared secret key between NN and JT to allow JT to make 
> initial authentication to NN. This simple example doesn't deal with token 
> renewal etc, but it helps to illustrate the point that if we can support 
> multiple pluggable token implementations, it opens up the possibility for 
> different users to plug in the token implementation of their choice to 
> bootstrap security. Such token based mechanism has advantages over Kerberos 
> in that 1) it doesn't require Kerberos infrastructure, 2) it leverages 
> existing SASL DIGEST-MD5 auth method and doesn't require adding a new RPC 
> auth method.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira