Jerry Chen created HADOOP-9798:
----------------------------------
Summary: TokenAuth Implementation - HAS
Key: HADOOP-9798
URL: https://issues.apache.org/jira/browse/HADOOP-9798
Project: Hadoop Common
Issue Type: Sub-task
Components: security
Affects Versions: 3.0.0
Reporter: Jerry Chen
HAS is a complete and enterprise ready security solution based on TokenAuth
framework proposed by HADOOP-9392 and utilizing the common facilities provided
by the framework. It provides all the necessary implementations of entities,
interfaces and services defined in the framework that’s required by industrial
deployment.
As a major goal for Rhino, HAS addresses AAA (Authentication, Authorization and
Auditing) concerns for Hadoop across the ecosystem. The 'A' of HAS could be
explained as "Authentication", "Authorization", or "Auditing", depending on
which role(s) HAS is configured with. In high level considerations, we may need
Authentication Server, Authorization Server, or Auditing Server, and such
servers would be great to be combined into one centralized server, or be
deployed separately regarding performance or network concerns. Currently we're
mainly focusing on "Authentication" and "Authorization", and these two roles
can be configured in one server instance or in separate server instances.
A more detailed scope of HAS implementation is as follows:
* Define and implement the common and management facilities shared across the
implementation of different services. These include configuration mechanism for
services, persistent API and method for loading and storing data, auditing and
logging API, shared high availability approach, REST API framework and
authentication and so on.
* Define and implement Authentication Server role for HAS. The authentication
server provides identity authentication service and issues identity token. The
authentication can be configured with a chain of authentication modules for
providing multi-factor authentication ability. By default, we will support AD
(as LDAP) / LDAP authentication module and AD (as Kerberos) / Kerberos
authentication module.
* Define and implement Authorization Server role for HAS. The authorization
server includes service level authorization, access token issue and
fine-grained authorization service.
* Implement Attribute Service for HAS, to allow integration of third party
attribute authorities. The Attribute Service provides the ability to connect
and retrieve attributes from different attribute sources such as LDAP or
Database.
* Provides authorization enforcement library for Hadoop services to enforce
security policies utilizing related services provided by the Authorization
Server. To enforce the fine-grained authorization policies, the policies must
be loaded, synchronized, and evaluated at Hadoop side.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
