-Original Message-
From: Suresh Srinivas [mailto:sur...@hortonworks.com]
Sent: Thursday, September 05, 2013 2:42 PM
To: common-dev@hadoop.apache.org
Subject: Re: [DISCUSS] Hadoop SSO/Token Server Components
> One aside: if you come across a bug, please try to fix it upstream and
>
> One aside: if you come across a bug, please try to fix it upstream and
> then merge into the feature branch rather than cherry-picking patches
> or only fixing it on the branch. It becomes very awkward to track. -C
Related to this, when refactoring the code, generally required for large
feature
13 6:45 AM
> To: common-dev@hadoop.apache.org
> Subject: Re: [DISCUSS] Hadoop SSO/Token Server Components
>
> On Tue, Sep 3, 2013 at 5:20 AM, Larry McCay
> wrote:
> > One outstanding question for me - how do we go about getting the
> > branches created?
>
> Once
This looks good and reasonable to me. Thanks Chris.
-Original Message-
From: Chris Douglas [mailto:cdoug...@apache.org]
Sent: Wednesday, September 04, 2013 6:45 AM
To: common-dev@hadoop.apache.org
Subject: Re: [DISCUSS] Hadoop SSO/Token Server Components
On Tue, Sep 3, 2013 at 5:20 AM
>>>>> c. Successfully invoke a hadoop service RPC API
>> > >>>>>
>> > >>>>> USECASE CLI-2 Federation/SAML:
>> > >>>>> For CLI/RPC clients, we will provide the ability to:
>> > >>>>> 1. acquire SAM
gt; - directing the returned response to a file may suffice for
> >> now
> >> > >>>> something like ">~/.hadoop_tokens/.id_token"
> >> > >>>>> 2. use hadoop CLI to invoke RPC API on a specific hadoop service
> >>
x27;cat
> > >>>> ~/.hadoop_tokens/.id_token'"
> > >>>>> 3. use hadoop CLI to invoke RPC API on a specific hadoop service
> > >>>>> a. RPC client negotiates a TokenAuth method through SASL layer,
> > >>>> hadoop i
gt;> COMP-9. TokenAuth Method negotiation, etc
> >>>>> COMP-10. Client side implementation to leverage REST endpoint for
> >>>> acquiring hadoop access tokens given a hadoop id_token
> >>>>> COMP-11. Server side implementation to validate incoming had
tication or federation.
>>>>>
>>>>> USECASE UI-1 Authentication/LDAP:
>>>>> For the authentication usecase:
>>>>> 1. User’s browser requests access to a UI console page
>>>>> 2. WebSSOAuthenticationHandler intercepts the request and re
t; 5. WebSSOAuthenticationHandler for the original UI resource
> > interrogates
> > > the incoming request again for an authcookie that contains an access
> > token
> > > upon finding one:
> > > >a. validates the incoming token
> > > >b. returns
gt; > 2. WebSSOAuthenticationHandler intercepts the request and redirects the
> > browser to an SP web endpoint exposed by the AuthenticationServer passing
> > the requested url as the redirect_url. This endpoint:
> > >a. is dedicated to redirecting to the external
d. creates appropriate cookie and redirects back to the original
> redirect_url - being the requested resource
> > 5. WebSSOAuthenticationHandler for the original UI resource interrogates
> the incoming request again for an authcookie that contains an access token
> upon finding on
cookie with the expected token
>d. serves requested resource for valid tokens
>e. subsequent requests are handled by the AuthenticationFilter recognition
> of the hadoop auth cookie
> REQUIRED COMPONENTS for UI USECASES:
> COMP-12. WebSSOAuthenticationHandler
> COMP-13. I
Cc: da...@yahoo-inc.com; Kai Zheng; Alejandro Abdelnur
Subject: Re: [DISCUSS] Hadoop SSO/Token Server Components
It seems to me that we can have the best of both worlds here...it's all about
the scoping.
If we were to reframe the immediate scope to the lowest common denominator of
what is needed
t; Sent: Wednesday, July 10, 2013 8:15 AM
> To: Larry McCay
> Cc: common-dev@hadoop.apache.org; da...@yahoo-inc.com; Kai Zheng
> Subject: Re: [DISCUSS] Hadoop SSO/Token Server Components
>
> Larry, all,
>
> Still is not clear to me what is the end state we are aiming for, or th
see
what others have done in this area (if anything).
Thanks.
-Brian
-Original Message-
From: Alejandro Abdelnur [mailto:t...@cloudera.com]
Sent: Wednesday, July 10, 2013 8:15 AM
To: Larry McCay
Cc: common-dev@hadoop.apache.org; da...@yahoo-inc.com; Kai Zheng
Subject: Re: [DISCUSS] Hado
Sorry for falling out of the loop. I'm catching up the jiras and discussion,
and will comment this afternoon.
Daryn
On Jul 10, 2013, at 8:42 AM, Larry McCay wrote:
> All -
>
> After combing through this thread - as well as the summit session summary
> thread, I think that we have the followi
Larry, all,
Still is not clear to me what is the end state we are aiming for, or that
we even agree on that.
IMO, Instead trying to agree what to do, we should first agree on the
final state, then we see what should be changed to there there, then we see
how we change things to get there.
The d
All -
After combing through this thread - as well as the summit session summary
thread, I think that we have the following two items that we can probably move
forward with:
1. TokenAuth method - assuming this means the pluggable authentication
mechanisms within the RPC layer (2 votes: Kai and
Hi Andy -
> Happy Fourth of July to you and yours.
Same to you and yours. :-)
We had some fun in the sun for a change - we've had nothing but rain on the
east coast lately.
> My concern here is there may have been a misinterpretation or lack of
> consensus on what is meant by "clean slate"
Ap
Hi Alejandro -
I missed your #4 in my summary and takeaways of the session in another thread
on this list.
I believe that the points of discussion were along the lines of:
* put common security libraries into common much the same way as hadoop-auth is
today making each available as separate ma
service to start with. Hopefully I can
finish and provide my working codes as a patch for the discussion.
Thanks & regards,
Kai
-Original Message-
From: Alejandro Abdelnur [mailto:t...@cloudera.com]
Sent: Friday, July 05, 2013 4:09 AM
To: common-dev@hadoop.apache.org
Subject: Re: [DISC
Leaving JIRAs and design docs aside, my recollection from the f2f lounge
discussion could be summarized as:
--
1* Decouple users-services authentication from (intra) services-services
authentication.
The main motivation for this is to get pluggable authentication and
integrated SSO experience
Hi Larry (and all),
Happy Fourth of July to you and yours.
In our shop Kai and Tianyou are already doing the coding, so I'd defer to
them on the detailed points.
My concern here is there may have been a misinterpretation or lack of
consensus on what is meant by "clean slate". Hopefully that can
ntinue our collaborative effort to contribute code to
> these JIRAs.
>
> Regards,
> Kai
>
> -Original Message-
> From: Larry McCay [mailto:lmc...@hortonworks.com]
> Sent: Thursday, July 04, 2013 4:10 AM
> To: Zheng, Kai
> Cc: common-dev@hadoop.apache.org
> Su
e our collaborative effort to contribute code to
these JIRAs.
Regards,
Kai
-Original Message-
From: Larry McCay [mailto:lmc...@hortonworks.com]
Sent: Thursday, July 04, 2013 4:10 AM
To: Zheng, Kai
Cc: common-dev@hadoop.apache.org
Subject: Re: [DISCUSS] Hadoop SSO/Token Server Components
we can all agree on an
> approach to move forward collaboratively.
>
> Thanks,
> Tianyou
>
> -----Original Message-
> From: Larry McCay [mailto:lmc...@hortonworks.com]
> Sent: Thursday, July 04, 2013 4:10 AM
> To: Zheng, Kai
> Cc: common-dev@hadoop.apache.org
>
ree on an approach
to move forward collaboratively.
Thanks,
Tianyou
-Original Message-
From: Larry McCay [mailto:lmc...@hortonworks.com]
Sent: Thursday, July 04, 2013 4:10 AM
To: Zheng, Kai
Cc: common-dev@hadoop.apache.org
Subject: Re: [DISCUSS] Hadoop SSO/Token Server Components
Hi Kai -
I thi
Hey Andrew -
I largely agree with that statement.
My intention was to let the differences be worked out within the individual
components once they were identified and subtasks created.
My reference to HSSO was really referring to a SSO *server* based design which
was not clearly articulated in
Hi Larry,
Of course I'll let Kai speak for himself. However, let me point out that,
while the differences between the competing JIRAs have been reduced for
sure, there were some key differences that didn't just disappear.
Subsequent discussion will make that clear. I also disagree with your
charac
Thanks, Brian!
Look at that - the power of collaboration - the numbering is correct already!
;-)
I am inclined to agree that we should start with the Hadoop SSO Tokens and am
leaning toward a new jira that leaves behind the cruft but I don't feel very
strongly about it being new.
I do feel like
Hi Kai -
I think that I need to clarify something…
This is not an update for 9533 but a continuation of the discussions that are
focused on a fresh look at a SSO for Hadoop.
We've agreed to leave our previous designs behind and therefore we aren't
really seeing it as an HSSO layered on top of T
Hi Larry,
Thanks for the update. Good to see that with this update we are now aligned on
most points.
I have also updated our TokenAuth design in HADOOP-9392. The new revision
incorporates feedback and suggestions in related discussion with the community,
particularly from Microsoft and other
Thanks, Larry, for starting this conversation (and thanks for the great Summit
meeting summary you sent out a couple of days ago). To weigh in on your
specific discussion points (and renumber them :-))...
1. Are there additional components that would be required for a Hadoop SSO
service?
Not th
34 matches
Mail list logo
