Hadoop Authentication Service (HAS)

A dedicated Hadoop Authentication Server to support various authentication mechanisms other than just Kerberos.

High level considerations

Hadoop services are still strongly authenticated by Kerberos, as Kerberos is the only means so far to enable Hadoop security.
Hadoop users can remain to use their familiar login methods.
Security admins won't have to migrate and sync up their user accounts to Kerberos back and forth.
New authentication mechanism can be customized and plugined.

Architecture

Design

Assuming existing users are stored in a SQL database (like MySQL), the detailed design and workflow may go like the following:

New mechanism plugin API

HAS client plugin HasClientPlugin:

// Get the login module type ID, used to distinguish this module from others. 
// Should correspond to the server side module.
String getLoginType()

// Perform all the client side login logics, the results wrapped in an AuthToken, 
// will be validated by HAS server.
AuthToken login(Conf loginConf) throws HasLoginException

HAS server plugin HasServerPlugin:

// Get the login module type ID, used to distinguish this module from others. 
// Should correspond to the client side module.
String getLoginType()

// Perform all the server side authentication logics, the results wrapped in an AuthToken, 
// will be used to exchange a Kerberos ticket.
AuthToken authenticate(AuthToken userToken) throws HasAuthenException

High Availability

Please look at High Availability for details.

Cross Realm

Please look at How to setup cross-realm for details.

Performance test report

Please look at Performance test report for details.

List of supported Hadoop ecosystem components

Big Data Components	Supported	Rebuild Required
Hadoop	Yes	Yes
Zookeeper	Yes	Yes
HBase	Yes	Yes
Hive	Yes	No
Phoenix	Yes	No
Thrift	Yes	No
Spark	Yes	No
Oozie	Yes	No
Presto	Yes (0.148 and later)	No
Pig	Yes	No
Sqoop	Yes	No

Getting Started

Please look at Getting Started for details.