[
https://issues.apache.org/jira/browse/HADOOP-9798?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jerry Chen updated HADOOP-9798:
-------------------------------
Fix Version/s: (was: 3.0.0)
> TokenAuth Implementation - HAS
> ------------------------------
>
> Key: HADOOP-9798
> URL: https://issues.apache.org/jira/browse/HADOOP-9798
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: security
> Affects Versions: 3.0.0
> Reporter: Jerry Chen
> Labels: Rhino
>
> HAS is a complete and enterprise ready security solution based on TokenAuth
> framework proposed by HADOOP-9392 and utilizing the common facilities
> provided by the framework. It provides all the necessary implementations of
> entities, interfaces and services defined in the framework that’s required by
> industrial deployment.
> As a major goal for Rhino, HAS addresses AAA (Authentication, Authorization
> and Auditing) concerns for Hadoop across the ecosystem. The 'A' of HAS could
> be explained as "Authentication", "Authorization", or "Auditing", depending
> on which role(s) HAS is configured with. In high level considerations, we may
> need Authentication Server, Authorization Server, or Auditing Server, and
> such servers would be great to be combined into one centralized server, or be
> deployed separately regarding performance or network concerns. Currently
> we're mainly focusing on "Authentication" and "Authorization", and these two
> roles can be configured in one server instance or in separate server
> instances.
> A more detailed scope of HAS implementation is as follows:
> * Define and implement the common and management facilities shared across the
> implementation of different services. These include configuration mechanism
> for services, persistent API and method for loading and storing data,
> auditing and logging API, shared high availability approach, REST API
> framework and authentication and so on.
> * Define and implement Authentication Server role for HAS. The authentication
> server provides identity authentication service and issues identity token.
> The authentication can be configured with a chain of authentication modules
> for providing multi-factor authentication ability. By default, we will
> support AD (as LDAP) / LDAP authentication module and AD (as Kerberos) /
> Kerberos authentication module.
> * Define and implement Authorization Server role for HAS. The authorization
> server includes service level authorization, access token issue and
> fine-grained authorization service.
> * Implement Attribute Service for HAS, to allow integration of third party
> attribute authorities. The Attribute Service provides the ability to connect
> and retrieve attributes from different attribute sources such as LDAP or
> Database.
> * Provides authorization enforcement library for Hadoop services to enforce
> security policies utilizing related services provided by the Authorization
> Server. To enforce the fine-grained authorization policies, the policies must
> be loaded, synchronized, and evaluated at Hadoop side.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
