Google Git
Sign in
apache / directory-kerby / cd34b4bdec107a7bdb502db1f361a1b55e86a98a / . / has-project
tree: 00fdeb223c604347779731652c4152199ab696a6 [path history] [tgz]
  1. docs/
  2. has-client/
  3. has-common/
  4. has-plugins/
  5. has-server/
  6. supports/
  7. pom.xml
  8. README.md
has-project/README.md

Hadoop Authentication Service (HAS)

A dedicated Hadoop Authentication Server to support various authentication mechanisms other than just Kerberos.

High level considerations

  • Hadoop services are still strongly authenticated by Kerberos, as Kerberos is the only means so far to enable Hadoop security.
  • Hadoop users can remain to use their familiar login methods.
  • Security admins won't have to migrate and sync up their user accounts to Kerberos back and forth.
  • New authentication mechanism can be customized and plugined.

Architecture

Design

Assuming existing users are stored in a SQL database (like MySQL), the detailed design and workflow may go like the following:

New mechanism plugin API

HAS client plugin HasClientPlugin:

// Get the login module type ID, used to distinguish this module from others. 
// Should correspond to the server side module.
String getLoginType()

// Perform all the client side login logics, the results wrapped in an AuthToken, 
// will be validated by HAS server.
AuthToken login(Conf loginConf) throws HasLoginException

HAS server plugin HasServerPlugin:

// Get the login module type ID, used to distinguish this module from others. 
// Should correspond to the client side module.
String getLoginType()

// Perform all the server side authentication logics, the results wrapped in an AuthToken, 
// will be used to exchange a Kerberos ticket.
AuthToken authenticate(AuthToken userToken) throws HasAuthenException

Getting Started

Please look at Getting Started for details.