A token authentication solution for hadoop based on kerberos pre-authentication

As broad adoption of Apache Hadoop [20] accelerates authentication and authorization capabilities are a major concern for data access security. To integrate pluggable authentication providers, enhance desirable single sign on for end users, and enforce centralized access control on the platform, Hadoop community has widely discussed and concluded that token based authentication is the appropriate approach [18]. In this paper we discuss an innovation solution about how to implement the token authentication based on the Kerberos pre-authentication framework [4]. We propose a pre-authentication mechanism for Kerberos [1] that allows users to authenticate to Key Distribution Center (KDC) using a standard token, and develop a plugin for MIT Kerberos that can be deployed separately to employ the new mechanism. Based on that, we develop our token authentication solution for the entire Hadoop stack that helps integrate identity management systems and OAuth 2.0 [6] authorization solutions, meanwhile avoiding complication, risk and deployment overhead.