A dedicated Hadoop Authentication Server to support various authentication mechanisms other than just Kerberos.
- Hadoop services are still strongly authenticated by Kerberos, as Kerberos is the only means so far to enable Hadoop security.
- Hadoop users can remain to use their familiar login methods.
- Security admins won't have to migrate and sync up their user accounts to Kerberos back and forth.
- New authentication mechanism can be customized and plugined.
Assuming existing users are stored in a SQL database (like MySQL), the detailed design and workflow may go like the following:
// Get the login module type ID, used to distinguish this module from others.
// Should correspond to the server side module.
String getLoginType()
// Perform all the client side login logics, the results wrapped in an AuthToken,
// will be validated by HAS server.
AuthToken login(Conf loginConf) throws HasLoginException
// Get the login module type ID, used to distinguish this module from others.
// Should correspond to the client side module.
String getLoginType()
// Perform all the server side authentication logics, the results wrapped in an AuthToken,
// will be used to exchange a Kerberos ticket.
AuthToken authenticate(AuthToken userToken) throws HasAuthenException
Please look at High Availability for details.
Please look at How to setup cross-realm for details.
Please look at Performance test report for details.
Big Data Components | Supported | Rebuild Required |
---|---|---|
Hadoop | Yes | Yes |
Zookeeper | Yes | Yes |
HBase | Yes | Yes |
Hive | Yes | No |
Phoenix | Yes | No |
Thrift | Yes | No |
Spark | Yes | No |
Oozie | Yes | No |
Presto | Yes (0.148 and later) | No |
Pig | Yes | No |
Sqoop | Yes | No |
Please look at Getting Started for details.