Skip to content

Latest commit

 

History

History
87 lines (69 loc) · 3.74 KB

README.md

File metadata and controls

87 lines (69 loc) · 3.74 KB

Hadoop Authentication Service (HAS)

A dedicated Hadoop Authentication Server to support various authentication mechanisms other than just Kerberos.

High level considerations

  • Hadoop services are still strongly authenticated by Kerberos, as Kerberos is the only means so far to enable Hadoop security.
  • Hadoop users can remain to use their familiar login methods.
  • Security admins won't have to migrate and sync up their user accounts to Kerberos back and forth.
  • New authentication mechanism can be customized and plugined.

Architecture

Design

Assuming existing users are stored in a SQL database (like MySQL), the detailed design and workflow may go like the following:

New mechanism plugin API

HAS client plugin HasClientPlugin:

// Get the login module type ID, used to distinguish this module from others. 
// Should correspond to the server side module.
String getLoginType()

// Perform all the client side login logics, the results wrapped in an AuthToken, 
// will be validated by HAS server.
AuthToken login(Conf loginConf) throws HasLoginException

HAS server plugin HasServerPlugin:

// Get the login module type ID, used to distinguish this module from others. 
// Should correspond to the client side module.
String getLoginType()

// Perform all the server side authentication logics, the results wrapped in an AuthToken, 
// will be used to exchange a Kerberos ticket.
AuthToken authenticate(AuthToken userToken) throws HasAuthenException

High Availability

Please look at High Availability for details.

Cross Realm

Please look at How to setup cross-realm for details.

Performance test report

Please look at Performance test report for details.

List of supported Hadoop ecosystem components

Big Data Components Supported Rebuild Required
Hadoop Yes Yes
Zookeeper Yes Yes
HBase Yes Yes
Hive Yes No
Phoenix Yes No
Thrift Yes No
Spark Yes No
Oozie Yes No
Presto Yes (0.148 and later) No
Pig Yes No
Sqoop Yes No

Getting Started

Please look at Getting Started for details.