Merge remote-tracking branch 'asf/trunk' into trunk
diff --git a/has-project/README.md b/has-project/README.md
new file mode 100644
index 0000000..a3c6c1f
--- /dev/null
+++ b/has-project/README.md
@@ -0,0 +1,44 @@
+# Hadoop Authentication Service (HAS)
+A dedicated Hadoop Authentication Server to support various authentication mechanisms other than just Kerberos.
+
+# High level considerations
+* Hadoop services are still strongly authenticated by Kerberos, as Kerberos is the only means so far to enable Hadoop security.
+* Hadoop users can remain to use their familiar login methods.
+* Security admins won't have to migrate and sync up their user accounts to Kerberos back and forth.
+* New authentication mechanism can be customized and plugined.
+
+# Architecture
+
+
+# Design
+Assuming existing users are stored in a SQL database (like MySQL), the detailed design and workflow may go like the following:
+
+
+# New mechanism plugin API
+
+## HAS client plugin HasClientPlugin:
+
+```Java
+// Get the login module type ID, used to distinguish this module from others.
+// Should correspond to the server side module.
+String getLoginType()
+
+// Perform all the client side login logics, the results wrapped in an AuthToken,
+// will be validated by HAS server.
+AuthToken login(Conf loginConf) throws HasLoginException
+```
+
+## HAS server plugin HasServerPlugin:
+
+```Java
+// Get the login module type ID, used to distinguish this module from others.
+// Should correspond to the client side module.
+String getLoginType()
+
+// Perform all the server side authentication logics, the results wrapped in an AuthToken,
+// will be used to exchange a Kerberos ticket.
+AuthToken authenticate(AuthToken userToken) throws HasAuthenException
+```
+
+## Getting Started
+Please look at [Getting Started](https://github.com/apache/directory-kerby/blob/has-project/has/doc/has-start.md) for details.
diff --git a/has-project/docs/deploy-https.md b/has-project/docs/deploy-https.md
new file mode 100644
index 0000000..bd6c3c5
--- /dev/null
+++ b/has-project/docs/deploy-https.md
@@ -0,0 +1,153 @@
+Deploy HTTPS
+===============
+
+## 1. Create a keystore file for each host
+
+> keystore: the keystore file that stores the certificate.
+> validity: the valid time of the certificate in days.
+```
+keytool -alias {hostname} -keystore {keystore} -validity {validity} -genkey
+```
+
+> The keytool will ask for more details such as the keystore password, keypassword and CN(hostname).
+
+## 2. Export the certificate public key to a certificate file for each host
+```
+keytool -export -alias {hostname} -keystore {keystore} -rfc -file {cert-file}
+```
+
+## 3. Create a common truststore file (trustAll)
+The truststore file contains the public key from all certificates. If you assume a 2-node cluster with node1 and node2,
+login to node1 and import the truststore file for node1.
+```
+keytool -import -alias {hostname} -keystore {trustAll} -file {cert-file}
+```
+
+## 4. Update the common truststore file
+* Move {trustAll} from node1 to node2 ({trustAll} already has the certificate entry of node1), and repeat Step 3.
+
+* Move the updated {trustAll} from node2 to node1. Repeat these steps for each node in the cluster.
+When you finish, the {trustAll} file will have the certificates from all nodes.
+
+> Note these work could be done on the same node, just notice the hostname.
+
+## 5. Copy {trustAll} from node1 to all of the other nodes
+
+## 6. Validate the common truststore file
+```
+keytool -list -v -keystore {trustAll}
+```
+
+## 7. Edit the Configuration files
+> Deploy {keystore} and {trustAll} files and config /<conf-dir>/ssl-server.conf for HAS server
+```
+ssl.server.keystore.location = {path to keystore}
+ssl.server.keystore.password = {keystore password set in step 1}
+ssl.server.keystore.keypassword = {keypassword set in step 1}
+ssl.server.truststore.reload.interval = 1000
+ssl.server.truststore.location = {path to trustAll}
+ssl.server.truststore.password = {trustAll password set in step 2}
+```
+
+> Config /etc/has/<https_host>/ssl-client.conf for HAS client, the <https_host>
+is the has server address, the same as the value configured in has-client.conf
+```
+ssl.client.truststore.location = {path to trustAll}
+ssl.client.truststore.password = {trustAll password}
+```
+
+> Config $HADOOP_HOME/etc/hadoop/ssl-server.xml for Hadoop
+```
+<configuration>
+
+<property>
+ <name>ssl.server.truststore.location</name>
+ <value>path to trustAll</value>
+</property>
+
+<property>
+ <name>ssl.server.truststore.password</name>
+ <value>trustAll password</value>
+</property>
+
+<property>
+ <name>ssl.server.truststore.type</name>
+ <value>jks</value>
+</property>
+
+<property>
+ <name>ssl.server.truststore.reload.interval</name>
+ <value>10000</value>
+</property>
+
+<property>
+ <name>ssl.server.keystore.location</name>
+ <value>path to keystore</value>
+</property>
+
+<property>
+ <name>ssl.server.keystore.password</name>
+ <value>keystore password</value>
+</property>
+
+<property>
+ <name>ssl.server.keystore.keypassword</name>
+ <value>keystore keypassword</value>
+</property>
+
+<property>
+ <name>ssl.server.keystore.type</name>
+ <value>jks</value>
+</property>
+
+</configuration>
+```
+
+> Config $HADOOP_HOME/etc/hadoop/ssl-client.xml for Hadoop
+```
+<configuration>
+
+<property>
+ <name>ssl.client.truststore.location</name>
+ <value>patch to trustAll</value>
+</property>
+
+<property>
+ <name>ssl.client.truststore.password</name>
+ <value>trustAll password</value>
+</property>
+
+<property>
+ <name>ssl.client.truststore.type</name>
+ <value>jks</value>
+</property>
+
+<property>
+ <name>ssl.client.truststore.reload.interval</name>
+ <value>10000</value>
+</property>
+
+<property>
+ <name>ssl.client.keystore.location</name>
+ <value>path to keystore</value>
+</property>
+
+<property>
+ <name>ssl.client.keystore.password</name>
+ <value>keystore password</value>
+</property>
+
+<property>
+ <name>ssl.client.keystore.keypassword</name>
+ <value>keystore keypassword</value>
+</property>
+
+<property>
+ <name>ssl.client.keystore.type</name>
+ <value>jks</value>
+</property>
+
+</configuration>
+```
+
+> To make the nodes in the cluster communicate bidirectionally, deploy all the configuration files.
diff --git a/has-project/docs/deploy-spnego.md b/has-project/docs/deploy-spnego.md
new file mode 100644
index 0000000..d86922b
--- /dev/null
+++ b/has-project/docs/deploy-spnego.md
@@ -0,0 +1,13 @@
+Deploy SPNEGO
+================
+
+## 1. Server Side Configuration(in server side has-server.conf)
+
+To use Kerberos SPNEGO as the authentication mechanism, the authentication filter must be configured with the following init parameters:
+- filter_auth_type : the keyword kerberos. For example: filter_auth_type = kerberos
+
+## 2. Client Side Configuration(in client side admin.conf)
+
+- filter_auth_type the keyword kerberos. For example: filter_auth_type = kerberos
+- admin_keytab: The path to the keytab file containing the credential for the admin principal. For example: admin_keytab = /etc/has/admin.keytab
+- admin_keytab_principal: The admin principal. For example: admin_keytab_principal = kadmin/<YOUR-REALM.COM>@<YOUR-REALM.COM>
diff --git a/has-project/docs/has-design.png b/has-project/docs/has-design.png
new file mode 100644
index 0000000..575c503
--- /dev/null
+++ b/has-project/docs/has-design.png
Binary files differ
diff --git a/has-project/docs/has-overall.png b/has-project/docs/has-overall.png
new file mode 100644
index 0000000..2df5e48
--- /dev/null
+++ b/has-project/docs/has-overall.png
Binary files differ
diff --git a/has-project/docs/has-start.md b/has-project/docs/has-start.md
new file mode 100644
index 0000000..cc22768
--- /dev/null
+++ b/has-project/docs/has-start.md
@@ -0,0 +1,88 @@
+Getting Started
+================
+
+## 1. Install
+
+### Download Kerby source code:
+```
+git clone https://github.com/apache/directory-kerby.git
+```
+
+### Install HAS:
+```
+cd directory-kerby
+mvn clean install -Pdist -DskipTests
+```
+
+## 2. Start and configure HAS server
+
+### Deploy https
+Please look at [How to deploy https](https://github.com/apache/directory-kerby/tree/trunk/has-project/docs/deploy-https.md) for details.
+
+### Configure has-server.conf in <conf_dir>:
+An example of has-server.conf:
+```
+[HAS]
+ https_host = localhost
+ https_port = 8092
+ filter_auth_type = kerberos
+
+[PLUGIN]
+ auth_type = MySQL
+```
+
+### Start HAS server:
+```
+cd HAS/has-dist
+sh bin/start-has.sh <conf_dir> <work_dir>
+```
+
+also:
+```
+export HAS_CONF_DIR=<conf_dir>
+export HAS_WORK_DIR=<work_dir>
+cd HAS/has-dist
+sh bin/start-has.sh
+```
+
+Root privileges required if https_port or KDC port numbers range from 0 to 1023.
+
+### Configure HAS KDC:
+
+Please make sure the following configuration files exist in the conf directory:
+has-server.conf backend.conf kdc.conf
+
+### Start HAS KDC server:
+```
+cd kerby-dist/has-dist
+// Start HAS init tool
+sh bin/has-init.sh <conf_dir>
+HasInitTool: start
+HasInitTool: exit
+```
+
+### Init HAS server:
+```
+cd kerby-dist/has-dist
+// Start HAS init tool
+sh bin/has-init.sh <conf_dir>
+HasInitTool: init
+HasInitTool: exit
+```
+
+### Deploy http spnego
+Please look at [How to deploy http spnego](https://github.com/apache/directory-kerby/tree/trunk/has-project/docs/deploy-spnego.md) for details.
+Please restart the HAS server
+
+```
+cd kerby-dist/has-dist
+sh bin/stop-has.sh
+
+cd kerby-dist/has-dist
+sh bin/start-has.sh <conf_dir> <work_dir>
+
+cd kerby-dist/has-dist
+sh bin/kdcinit.sh <conf_dir>
+HasInitTool: start
+HasInitTool: exit
+```
