Home | About | Sematext search-lucene.com search-hadoop.com
 Search Hadoop and all its subprojects:

Switch to Threaded View
Hadoop >> mail # dev >> [DISCUSS] Hadoop SSO/Token Server Components

Copy link to this message
RE: [DISCUSS] Hadoop SSO/Token Server Components
Hi Larry,

Thanks for the update. Good to see that with this update we are now aligned on most points.

 I have also updated our TokenAuth design in HADOOP-9392. The new revision incorporates feedback and suggestions in related discussion with the community, particularly from Microsoft and others attending the Security design lounge session at the Hadoop summit. Summary of the changes:
1.    Revised the approach to now use two tokens, Identity Token plus Access Token, particularly considering our authorization framework and compatibility with HSSO;
2.    Introduced Authorization Server (AS) from our authorization framework into the flow that issues access tokens for clients with identity tokens to access services;
3.    Refined proxy access token and the proxy/impersonation flow;
4.    Refined the browser web SSO flow regarding access to Hadoop web services;
5.    Added Hadoop RPC access flow regarding CLI clients accessing Hadoop services via RPC/SASL;
6.    Added client authentication integration flow to illustrate how desktop logins can be integrated into the authentication process to TAS to exchange identity token;
7.    Introduced fine grained access control flow from authorization framework, I have put it in appendices section for the reference;
8.    Added a detailed flow to illustrate Hadoop Simple authentication over TokenAuth, in the appendices section;
9.    Added secured task launcher in appendices as possible solutions for Windows platform;
10.    Removed low level contents, and not so relevant parts into appendices section from the main body.

As we all think about how to layer HSSO on TAS in TokenAuth framework, please take some time to look at the doc and then let's discuss the gaps we might have. I would like to discuss these gaps with focus on the implementations details so we are all moving towards getting code done. Let's continue this part of the discussion in HADOOP-9392 to allow for better tracking on the JIRA itself. For discussions related to Centralized SSO server, suggest we continue to use HADOOP-9533 to consolidate all discussion related to that JIRA. That way we don't need extra umbrella JIRAs.

I agree we should speed up these discussions, agree on some of the implementation specifics so both us can get moving on the code while not stepping on each other in our work.

Look forward to your comments and comments from others in the community. Thanks.


-----Original Message-----
From: Larry McCay [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 03, 2013 4:04 AM
Subject: [DISCUSS] Hadoop SSO/Token Server Components

All -

As a follow up to the discussions that were had during Hadoop Summit, I would like to introduce the discussion topic around the moving parts of a Hadoop SSO/Token Service.
There are a couple of related Jira's that can be referenced and may or may not be updated as a result of this discuss thread.


As the first aspect of the discussion, we should probably state the overall goals and scoping for this effort:
* An alternative authentication mechanism to Kerberos for user authentication
* A broader capability for integration into enterprise identity and SSO solutions
* Possibly the advertisement/negotiation of available authentication mechanisms
* Backward compatibility for the existing use of Kerberos
* No (or minimal) changes to existing Hadoop tokens (delegation, job, block access, etc)
* Pluggable authentication mechanisms across: RPC, REST and webui enforcement points
* Continued support for existing authorization policy/ACLs, etc
* Keeping more fine grained authorization policies in mind - like attribute based access control
- fine grained access control is a separate but related effort that we must not preclude with this effort
* Cross cluster SSO

In order to tease out the moving parts here are a couple high level and simplified descriptions of SSO interaction flow:
+------+ credentials 1 | SSO  |
+------+  :tokens      +------+
 2 |                    
   | access token
   V :requested resource

The above diagram represents the simplest interaction model for an SSO service in Hadoop.
1. client authenticates to SSO service and acquires an access token
  a. client presents credentials to an authentication service endpoint exposed by the SSO server (AS) and receives a token representing the authentication event and verified identity
  b. client then presents the identity token from 1.a. to the token endpoint exposed by the SSO server (TGS) to request an access token to a particular Hadoop service and receives an access token 2. client presents the Hadoop access token to the Hadoop service for which the access token has been granted and requests the desired resource or services
  a. access token is presented as appropriate for the service endpoint protocol being used
  b. Hadoop service token validation handler validates the token and verifies its integrity and the identity of the issuer
    |  IdP |
    1   ^ credentials
        | :idp_token
        |                      +------+
+------+  idp_token  2 | SSO  |
+------+  :tokens      +------+
 3 |                    
   | access token
   V :requested resource

The above diagram represents a slightly more complicated interaction model for an SSO service in Hadoop that removes Hadoop from the credential collection business.
1. client authenticates to a trusted identity provider within the enterprise and acquires an IdP specific token
  a. client presents credentials to an enterprise IdP and receives a token representing the authentication identity 2. client authenticates to SSO service and acquires an