Home | About | Sematext search-lucene.com search-hadoop.com
 Search Hadoop and all its subprojects:

Switch to Threaded View
Hadoop >> mail # dev >> [DISCUSS] Hadoop SSO/Token Server Components


Copy link to this message
-
Re: [DISCUSS] Hadoop SSO/Token Server Components
Hi Kai -

I think that I need to clarify something…

This is not an update for 9533 but a continuation of the discussions that are focused on a fresh look at a SSO for Hadoop.
We've agreed to leave our previous designs behind and therefore we aren't really seeing it as an HSSO layered on top of TAS approach or an HSSO vs TAS discussion.

Your latest design revision actually makes it clear that you are now targeting exactly what was described as HSSO - so comparing and contrasting is not going to add any value.

What we need you to do at this point, is to look at those high-level components described on this thread and comment on whether we need additional components or any that are listed that don't seem necessary to you and why.
In other words, we need to define and agree on the work that has to be done.

We also need to determine those components that need to be done before anything else can be started.
I happen to agree with Brian that #4 Hadoop SSO Tokens are central to all the other components and should probably be defined and POC'd in short order.

Personally, I think that continuing the separation of 9533 and 9392 will do this effort a disservice. There doesn't seem to be enough differences between the two to justify separate jiras anymore. It may be best to file a new one that reflects a single vision without the extra cruft that has built up in either of the existing ones. We would certainly reference the existing ones within the new one. This approach would align with the spirit of the discussions up to this point.

I am prepared to start a discussion around the shape of the two Hadoop SSO tokens: identity and access. If this is what others feel the next topic should be.
If we can identify a jira home for it, we can do it there - otherwise we can create another DISCUSS thread for it.

thanks,

--larry
On Jul 3, 2013, at 2:39 PM, "Zheng, Kai" <[EMAIL PROTECTED]> wrote:

> Hi Larry,
>
> Thanks for the update. Good to see that with this update we are now aligned on most points.
>
> I have also updated our TokenAuth design in HADOOP-9392. The new revision incorporates feedback and suggestions in related discussion with the community, particularly from Microsoft and others attending the Security design lounge session at the Hadoop summit. Summary of the changes:
> 1.    Revised the approach to now use two tokens, Identity Token plus Access Token, particularly considering our authorization framework and compatibility with HSSO;
> 2.    Introduced Authorization Server (AS) from our authorization framework into the flow that issues access tokens for clients with identity tokens to access services;
> 3.    Refined proxy access token and the proxy/impersonation flow;
> 4.    Refined the browser web SSO flow regarding access to Hadoop web services;
> 5.    Added Hadoop RPC access flow regarding CLI clients accessing Hadoop services via RPC/SASL;
> 6.    Added client authentication integration flow to illustrate how desktop logins can be integrated into the authentication process to TAS to exchange identity token;
> 7.    Introduced fine grained access control flow from authorization framework, I have put it in appendices section for the reference;
> 8.    Added a detailed flow to illustrate Hadoop Simple authentication over TokenAuth, in the appendices section;
> 9.    Added secured task launcher in appendices as possible solutions for Windows platform;
> 10.    Removed low level contents, and not so relevant parts into appendices section from the main body.
>
> As we all think about how to layer HSSO on TAS in TokenAuth framework, please take some time to look at the doc and then let's discuss the gaps we might have. I would like to discuss these gaps with focus on the implementations details so we are all moving towards getting code done. Let's continue this part of the discussion in HADOOP-9392 to allow for better tracking on the JIRA itself. For discussions related to Centralized SSO server, suggest we continue to use HADOOP-9533 to consolidate all discussion related to that JIRA. That way we don't need extra umbrella JIRAs.