-Original Message-
From: Suresh Srinivas [mailto:sur...@hortonworks.com]
Sent: Thursday, September 05, 2013 2:42 PM
To: common-dev@hadoop.apache.org
Subject: Re: [DISCUSS] Hadoop SSO/Token Server Components
> One aside: if you come across a bug, please try to fix it upstream and
>
> One aside: if you come across a bug, please try to fix it upstream and
> then merge into the feature branch rather than cherry-picking patches
> or only fixing it on the branch. It becomes very awkward to track. -C
Related to this, when refactoring the code, generally required for large
feature
13 6:45 AM
> To: common-dev@hadoop.apache.org
> Subject: Re: [DISCUSS] Hadoop SSO/Token Server Components
>
> On Tue, Sep 3, 2013 at 5:20 AM, Larry McCay
> wrote:
> > One outstanding question for me - how do we go about getting the
> > branches created?
>
> Once
This looks good and reasonable to me. Thanks Chris.
-Original Message-
From: Chris Douglas [mailto:cdoug...@apache.org]
Sent: Wednesday, September 04, 2013 6:45 AM
To: common-dev@hadoop.apache.org
Subject: Re: [DISCUSS] Hadoop SSO/Token Server Components
On Tue, Sep 3, 2013 at 5:20 AM
>>>>> c. Successfully invoke a hadoop service RPC API
>> > >>>>>
>> > >>>>> USECASE CLI-2 Federation/SAML:
>> > >>>>> For CLI/RPC clients, we will provide the ability to:
>> > >>>>> 1. acquire SAM
gt; - directing the returned response to a file may suffice for
> >> now
> >> > >>>> something like ">~/.hadoop_tokens/.id_token"
> >> > >>>>> 2. use hadoop CLI to invoke RPC API on a specific hadoop service
> >>
x27;cat
> > >>>> ~/.hadoop_tokens/.id_token'"
> > >>>>> 3. use hadoop CLI to invoke RPC API on a specific hadoop service
> > >>>>> a. RPC client negotiates a TokenAuth method through SASL layer,
> > >>>> hadoop i
gt;> COMP-9. TokenAuth Method negotiation, etc
> >>>>> COMP-10. Client side implementation to leverage REST endpoint for
> >>>> acquiring hadoop access tokens given a hadoop id_token
> >>>>> COMP-11. Server side implementation to validate incoming had
tication or federation.
>>>>>
>>>>> USECASE UI-1 Authentication/LDAP:
>>>>> For the authentication usecase:
>>>>> 1. User’s browser requests access to a UI console page
>>>>> 2. WebSSOAuthenticationHandler intercepts the request and re
t; 5. WebSSOAuthenticationHandler for the original UI resource
> > interrogates
> > > the incoming request again for an authcookie that contains an access
> > token
> > > upon finding one:
> > > >a. validates the incoming token
> > > >b. returns
gt; > >
> > > If we were to reframe the immediate scope to the lowest common
> > denominator of what is needed for accepting tokens in authentication
> > plugins then we gain:
> > >
> > > 1. a very manageable scope to define and agree upon 2. a deliverable
d. creates appropriate cookie and redirects back to the original
> redirect_url - being the requested resource
> > 5. WebSSOAuthenticationHandler for the original UI resource interrogates
> the incoming request again for an authcookie that contains an access token
> upon finding on
cookie with the expected token
>d. serves requested resource for valid tokens
>e. subsequent requests are handled by the AuthenticationFilter recognition
> of the hadoop auth cookie
> REQUIRED COMPONENTS for UI USECASES:
> COMP-12. WebSSOAuthenticationHandler
> COMP-13. I
Cc: da...@yahoo-inc.com; Kai Zheng; Alejandro Abdelnur
Subject: Re: [DISCUSS] Hadoop SSO/Token Server Components
It seems to me that we can have the best of both worlds here...it's all about
the scoping.
If we were to reframe the immediate scope to the lowest common denominator of
what is needed
t; Sent: Wednesday, July 10, 2013 8:15 AM
> To: Larry McCay
> Cc: common-dev@hadoop.apache.org; da...@yahoo-inc.com; Kai Zheng
> Subject: Re: [DISCUSS] Hadoop SSO/Token Server Components
>
> Larry, all,
>
> Still is not clear to me what is the end state we are aiming for, or th
see
what others have done in this area (if anything).
Thanks.
-Brian
-Original Message-
From: Alejandro Abdelnur [mailto:t...@cloudera.com]
Sent: Wednesday, July 10, 2013 8:15 AM
To: Larry McCay
Cc: common-dev@hadoop.apache.org; da...@yahoo-inc.com; Kai Zheng
Subject: Re: [DISCUSS] Hado
Sorry for falling out of the loop. I'm catching up the jiras and discussion,
and will comment this afternoon.
Daryn
On Jul 10, 2013, at 8:42 AM, Larry McCay wrote:
> All -
>
> After combing through this thread - as well as the summit session summary
> thread, I think that we have the followi
Larry, all,
Still is not clear to me what is the end state we are aiming for, or that
we even agree on that.
IMO, Instead trying to agree what to do, we should first agree on the
final state, then we see what should be changed to there there, then we see
how we change things to get there.
The d
All -
After combing through this thread - as well as the summit session summary
thread, I think that we have the following two items that we can probably move
forward with:
1. TokenAuth method - assuming this means the pluggable authentication
mechanisms within the RPC layer (2 votes: Kai and
Hi Andy -
> Happy Fourth of July to you and yours.
Same to you and yours. :-)
We had some fun in the sun for a change - we've had nothing but rain on the
east coast lately.
> My concern here is there may have been a misinterpretation or lack of
> consensus on what is meant by "clean slate"
Ap
Hi Alejandro -
I missed your #4 in my summary and takeaways of the session in another thread
on this list.
I believe that the points of discussion were along the lines of:
* put common security libraries into common much the same way as hadoop-auth is
today making each available as separate ma
service to start with. Hopefully I can
finish and provide my working codes as a patch for the discussion.
Thanks & regards,
Kai
-Original Message-
From: Alejandro Abdelnur [mailto:t...@cloudera.com]
Sent: Friday, July 05, 2013 4:09 AM
To: common-dev@hadoop.apache.org
Subject: Re: [DISC
Leaving JIRAs and design docs aside, my recollection from the f2f lounge
discussion could be summarized as:
--
1* Decouple users-services authentication from (intra) services-services
authentication.
The main motivation for this is to get pluggable authentication and
integrated SSO experience
Hi Larry (and all),
Happy Fourth of July to you and yours.
In our shop Kai and Tianyou are already doing the coding, so I'd defer to
them on the detailed points.
My concern here is there may have been a misinterpretation or lack of
consensus on what is meant by "clean slate". Hopefully that can
ntinue our collaborative effort to contribute code to
> these JIRAs.
>
> Regards,
> Kai
>
> -Original Message-
> From: Larry McCay [mailto:lmc...@hortonworks.com]
> Sent: Thursday, July 04, 2013 4:10 AM
> To: Zheng, Kai
> Cc: common-dev@hadoop.apache.org
> Su
e our collaborative effort to contribute code to
these JIRAs.
Regards,
Kai
-Original Message-
From: Larry McCay [mailto:lmc...@hortonworks.com]
Sent: Thursday, July 04, 2013 4:10 AM
To: Zheng, Kai
Cc: common-dev@hadoop.apache.org
Subject: Re: [DISCUSS] Hadoop SSO/Token Server Components
we can all agree on an
> approach to move forward collaboratively.
>
> Thanks,
> Tianyou
>
> -----Original Message-
> From: Larry McCay [mailto:lmc...@hortonworks.com]
> Sent: Thursday, July 04, 2013 4:10 AM
> To: Zheng, Kai
> Cc: common-dev@hadoop.apache.org
>
ree on an approach
to move forward collaboratively.
Thanks,
Tianyou
-Original Message-
From: Larry McCay [mailto:lmc...@hortonworks.com]
Sent: Thursday, July 04, 2013 4:10 AM
To: Zheng, Kai
Cc: common-dev@hadoop.apache.org
Subject: Re: [DISCUSS] Hadoop SSO/Token Server Components
Hi Kai -
I thi
ese gaps with focus on the
>> implementations details so we are all moving towards getting code done.
>> Let's continue this part of the discussion in HADOOP-9392 to allow for
>> better tracking on the JIRA itself. For discussions related to Centralized
>> SSO
t; implementation specifics so both us can get moving on the code while not
> stepping on each other in our work.
> >
> > Look forward to your comments and comments from others in the community.
> Thanks.
> >
> > Regards,
> > Kai
> >
> > -Original Messag
seemed that in some 1:1 conversations after the
> Summit meeting that others may agree with this. Would like to hear if that is
> the case more broadly.
>
> -Brian
>
> -Original Message-
> From: Larry McCay [mailto:lmc...@hortonworks.com]
> Sent: Tuesday, July 2,
de while not
> stepping on each other in our work.
>
> Look forward to your comments and comments from others in the community.
> Thanks.
>
> Regards,
> Kai
>
> -Original Message-
> From: Larry McCay [mailto:lmc...@hortonworks.com]
> Sent: Wednesday, July
ur comments and comments from others in the community. Thanks.
Regards,
Kai
-Original Message-
From: Larry McCay [mailto:lmc...@hortonworks.com]
Sent: Wednesday, July 03, 2013 4:04 AM
To: common-dev@hadoop.apache.org
Subject: [DISCUSS] Hadoop SSO/Token Server Components
All -
As a f
ay, July 2, 2013 1:04 PM
To: common-dev@hadoop.apache.org
Subject: [DISCUSS] Hadoop SSO/Token Server Components
All -
As a follow up to the discussions that were had during Hadoop Summit, I would
like to introduce the discussion topic around the moving parts of a Hadoop
SSO/Token Service.
There ar
All -
As a follow up to the discussions that were had during Hadoop Summit, I would
like to introduce the discussion topic around the moving parts of a Hadoop
SSO/Token Service.
There are a couple of related Jira's that can be referenced and may or may not
be updated as a result of this discuss
35 matches
Mail list logo
