IETF Logo Mail Archive

Re: [kitten] Token Preauth for Kerberos

Wang Weijun <weijun.wang@oracle.com> Fri, 13 June 2014 07:34 UTC

Return-Path: <weijun.wang@oracle.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9F631A01F9 for <kitten@ietfa.amsl.com>; Fri, 13 Jun 2014 00:34:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.852
X-Spam-Level:
X-Spam-Status: No, score=-4.852 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8TvrBqGfjklT for <kitten@ietfa.amsl.com>; Fri, 13 Jun 2014 00:34:57 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3BD161A014E for <kitten@ietf.org>; Fri, 13 Jun 2014 00:34:57 -0700 (PDT)
Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id s5D7YtAm003773 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 13 Jun 2014 07:34:56 GMT
Received: from aserz7021.oracle.com (aserz7021.oracle.com [141.146.126.230]) by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s5D7YqhB014248 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 13 Jun 2014 07:34:53 GMT
Received: from abhmp0017.oracle.com (abhmp0017.oracle.com [141.146.116.23]) by aserz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s5D7YqFm004051; Fri, 13 Jun 2014 07:34:52 GMT
Received: from [192.168.10.106] (/114.250.164.66) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 13 Jun 2014 00:34:52 -0700
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.2\))
Content-Type: text/plain; charset="us-ascii"
From: Wang Weijun <weijun.wang@oracle.com>
In-Reply-To: <8D5F7E3237B3ED47B84CF187BB17B666118ED053@SHSMSX103.ccr.corp.intel.com>
Date: Fri, 13 Jun 2014 15:35:04 +0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <21D762F1-C6F7-49E4-B24B-ADFC6F511F28@oracle.com>
References: <8D5F7E3237B3ED47B84CF187BB17B666118D870F@SHSMSX103.ccr.corp.intel.com> <1402609038.22737.57.camel@willson.usersys.redhat.com> <8D5F7E3237B3ED47B84CF187BB17B666118ED053@SHSMSX103.ccr.corp.intel.com>
To: "Zheng, Kai" <kai.zheng@intel.com>
X-Mailer: Apple Mail (2.1878.2)
X-Source-IP: acsinet22.oracle.com [141.146.126.238]
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/OrH206X_EnGQx9noOQdLYGRkw_0
Cc: "kitten@ietf.org" <kitten@ietf.org>, Simo Sorce <simo@redhat.com>, "krbdev@mit.edu" <krbdev@mit.edu>
Subject: Re: [kitten] Token Preauth for Kerberos
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Jun 2014 07:34:58 -0000

JDK 8 has S4U2self and S4U2proxy, but it hasn't been tested in the real world. Also, client, service and backend service must be in the same realm now, since referral is still not supported.

--Max

On Jun 13, 2014, at 15:31, Zheng, Kai <kai.zheng@intel.com> wrote:

> Hi Max,
> 
> Would you help clarify the support situation or plan/schedule in JRE/JDK for the mentioned protocol transition (s4u2self) + constrained delegation (s4u2proxy) if I'm not correct? Thanks.
> 
> Regards,
> Kai
> 
> -----Original Message-----
> From: Zheng, Kai 
> Sent: Friday, June 13, 2014 3:16 PM
> To: 'Simo Sorce'
> Cc: kitten@ietf.org; krbdev@mit.edu
> Subject: RE: [kitten] Token Preauth for Kerberos
> 
> Hi Simo,
> 
>>> have you considered protocol transition (s4u2self) + constrained delegation (s4u2proxy) to get tickets at an authentication gateway instead of a new pre auth mechanism ?
> 
> Yes we proposed for the Hadoop community a centralized Authn & Authz Server (HAS) that might be like the gateway as you mentioned. It's widely discussed and confirmed that it would be great the server allows plugin of authentication module/provider but all mechanisms output token. Sure I guess it's possible to use token to go thru s4u2self and s4u2proxy in the Kerberos facility across the ecosystem but as far as I know JRE just starts to support it from JDK8. Anyhow I would check this and make sure it's a doable option not in so long future.
> 
> A question regarding this:
> Is it possible to contain the token in service ticket resulted from s4u2self and s4u2proxy as authorization data so that services can get it as proposed in token-preauth? Note in our wanted solution, token not just serves for authentication, but also is meant to be passed (or the token attributes) to service side for fine-grained authorization.
> 
> Thanks & regards,
> Kai
> 
> -----Original Message-----
> From: Simo Sorce [mailto:simo@redhat.com]
> Sent: Friday, June 13, 2014 5:37 AM
> To: Zheng, Kai
> Cc: kitten@ietf.org; krbdev@mit.edu
> Subject: Re: [kitten] Token Preauth for Kerberos
> 
> On Tue, 2014-06-10 at 12:19 +0000, Zheng, Kai wrote:
>> Hi all,
>> 
>> I would like to mention an effort regarding Kerberos and propose a new 
>> Kerberos preauth mechanism, token-preauth. Before dive into that, 
>> please kindly allow me to introduce, mainly for the background and 
>> scenario for the proposal.
>> 
>> I'm an engineer from Intel and develop identity and security related 
>> products. The current focus is Apache Hadoop, and our goal is enabling 
>> Hadoop to support more authentication mechanisms and providers.
>> Currently Hadoop only supports Kerberos authentication method as the 
>> built-in secured one and it's not easy to add more since it involves 
>> changing into many projects on top of it in the large ecosystem. The 
>> community had proposed a token based authentication, planned to add 
>> TokenAuth method for Hadoop and by TokenAuth then all kinds of 
>> authentication providers can be supported since their authentication 
>> results can be wrapped into token, and the token can be employed to 
>> authenticate to Hadoop across the ecosystem. The effort is still 
>> undergoing. Considering the complexity, risk and deployment overhead 
>> of this approach, our team investigate and think of another possible 
>> solution, i.e. support token in Kerberos. The basic idea is allow end 
>> users to authenticate to Kerberos with their tokens and obtain 
>> tickets, then access Hadoop services using the tickets as current flow 
>> goes. The PoC was already done, and we make it work seamlessly from 
>> MIT Kerberos to Java world and Hadoop. However we think it's very 
>> important to get the key point token-preauth be reviewed by you 
>> security and Kerberos experts, to make sure it's defined and 
>> implemented in compliance with the existing standards and protocols, 
>> without involving security critical leaks. So please kindly give your 
>> feedback and we appreciate it.
> 
> Kai,
> have you considered protocol transition (s4u2self) + constrained delegation (s4u2proxy) to get tickets at an authentication gateway instead of a new pre auth mechanism ?
> 
> Simo.
> 
> --
> Simo Sorce * Red Hat, Inc * New York
>

v2.30.2 | Report a Bug | By Email | System Status