[prev in list] [next in list] [prev in thread] [next in thread] 

List:       hadoop-dev
Subject:    [jira] [Created] (HADOOP-9798) TokenAuth Implementation - HAS
From:       "Jerry Chen (JIRA)" <jira () apache ! org>
Date:       2013-07-30 8:55:48
Message-ID: JIRA.12660600.1375174436986.135057.1375174548689 () arcas
[Download RAW message or body]

Jerry Chen created HADOOP-9798:
----------------------------------

             Summary: TokenAuth Implementation - HAS
                 Key: HADOOP-9798
                 URL: https://issues.apache.org/jira/browse/HADOOP-9798
             Project: Hadoop Common
          Issue Type: Sub-task
          Components: security
    Affects Versions: 3.0.0
            Reporter: Jerry Chen


HAS is a complete and enterprise ready security solution based on TokenAuth framework \
proposed by HADOOP-9392 and utilizing the common facilities provided by the \
framework. It provides all the necessary implementations of entities, interfaces and \
services defined in the framework that's required by industrial deployment.

As a major goal for Rhino, HAS addresses AAA (Authentication, Authorization and \
Auditing) concerns for Hadoop across the ecosystem. The 'A' of HAS could be explained \
as "Authentication", "Authorization", or "Auditing", depending on which role(s) HAS \
is configured with. In high level considerations, we may need Authentication Server, \
Authorization Server, or Auditing Server, and such servers would be great to be \
combined into one centralized server, or be deployed separately regarding performance \
or network concerns. Currently we're mainly focusing on "Authentication" and \
"Authorization", and these two roles can be configured in one server instance or in \
separate server instances.

A more detailed scope of HAS implementation is as follows:
* Define and implement the common and management facilities shared across the \
implementation of different services. These include configuration mechanism for \
services, persistent API and method for loading and storing data, auditing and \
logging API, shared high availability approach, REST API framework and authentication \
and so on.

* Define and implement Authentication Server role for HAS. The authentication server \
provides identity authentication service and issues identity token. The \
authentication can be configured with a chain of authentication modules for providing \
multi-factor authentication ability. By default, we will support AD (as LDAP) / LDAP \
authentication module and AD (as Kerberos) / Kerberos authentication module.

* Define and implement Authorization Server role for HAS. The authorization server \
includes service level authorization, access token issue and fine-grained \
authorization service.

* Implement Attribute Service for HAS, to allow integration of third party attribute \
authorities. The Attribute Service provides the ability to connect and retrieve \
attributes from different attribute sources such as LDAP or Database.

* Provides authorization enforcement library for Hadoop services to enforce security \
policies utilizing related services provided by the Authorization Server. To enforce \
the fine-grained authorization policies, the policies must be loaded, synchronized, \
and evaluated at Hadoop side.


--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira


[prev in list] [next in list] [prev in thread] [next in thread]