Home | About | Sematext search-lucene.com search-hadoop.com
 Search Hadoop and all its subprojects:

Switch to Threaded View
Hadoop, mail # dev - [DISCUSS] Hadoop SSO/Token Server Components


Copy link to this message
-
Re: [DISCUSS] Hadoop SSO/Token Server Components
Andrew Purtell 2013-07-03, 23:35
Hi Larry,

Of course I'll let Kai speak for himself. However, let me point out that,
while the differences between the competing JIRAs have been reduced for
sure, there were some key differences that didn't just disappear.
Subsequent discussion will make that clear. I also disagree with your
characterization that we have simply endorsed all of the design decisions
of the so-called HSSO, this is taking a mile from an inch. We are here to
engage in a collaborative process as peers. I've been encouraged by the
spirit of the discussions up to this point and hope that can continue
beyond one design summit.

On Wed, Jul 3, 2013 at 1:10 PM, Larry McCay <[EMAIL PROTECTED]> wrote:

> Hi Kai -
>
> I think that I need to clarify something…
>
> This is not an update for 9533 but a continuation of the discussions that
> are focused on a fresh look at a SSO for Hadoop.
> We've agreed to leave our previous designs behind and therefore we aren't
> really seeing it as an HSSO layered on top of TAS approach or an HSSO vs
> TAS discussion.
>
> Your latest design revision actually makes it clear that you are now
> targeting exactly what was described as HSSO - so comparing and contrasting
> is not going to add any value.
>
> What we need you to do at this point, is to look at those high-level
> components described on this thread and comment on whether we need
> additional components or any that are listed that don't seem necessary to
> you and why.
> In other words, we need to define and agree on the work that has to be
> done.
>
> We also need to determine those components that need to be done before
> anything else can be started.
> I happen to agree with Brian that #4 Hadoop SSO Tokens are central to all
> the other components and should probably be defined and POC'd in short
> order.
>
> Personally, I think that continuing the separation of 9533 and 9392 will
> do this effort a disservice. There doesn't seem to be enough differences
> between the two to justify separate jiras anymore. It may be best to file a
> new one that reflects a single vision without the extra cruft that has
> built up in either of the existing ones. We would certainly reference the
> existing ones within the new one. This approach would align with the spirit
> of the discussions up to this point.
>
> I am prepared to start a discussion around the shape of the two Hadoop SSO
> tokens: identity and access. If this is what others feel the next topic
> should be.
> If we can identify a jira home for it, we can do it there - otherwise we
> can create another DISCUSS thread for it.
>
> thanks,
>
> --larry
>
>
> On Jul 3, 2013, at 2:39 PM, "Zheng, Kai" <[EMAIL PROTECTED]> wrote:
>
> > Hi Larry,
> >
> > Thanks for the update. Good to see that with this update we are now
> aligned on most points.
> >
> > I have also updated our TokenAuth design in HADOOP-9392. The new
> revision incorporates feedback and suggestions in related discussion with
> the community, particularly from Microsoft and others attending the
> Security design lounge session at the Hadoop summit. Summary of the changes:
> > 1.    Revised the approach to now use two tokens, Identity Token plus
> Access Token, particularly considering our authorization framework and
> compatibility with HSSO;
> > 2.    Introduced Authorization Server (AS) from our authorization
> framework into the flow that issues access tokens for clients with identity
> tokens to access services;
> > 3.    Refined proxy access token and the proxy/impersonation flow;
> > 4.    Refined the browser web SSO flow regarding access to Hadoop web
> services;
> > 5.    Added Hadoop RPC access flow regarding CLI clients accessing
> Hadoop services via RPC/SASL;
> > 6.    Added client authentication integration flow to illustrate how
> desktop logins can be integrated into the authentication process to TAS to
> exchange identity token;
> > 7.    Introduced fine grained access control flow from authorization
> framework, I have put it in appendices section for the reference;
Best regards,

   - Andy

Problems worthy of attack prove their worth by hitting back. - Piet Hein
(via Tom White)