1) SASL/GSSAPI was used to implement Kerberos. It is also used to mutually authenticate users, their processes, and Hadoop services on RPC connections.
2) Implementers of web applications and web consoles could implement their own authentication mechanism for HTTP connections this includes HTTP SPNEGO authentication
3) Access control to files in HDFS could be enforced by the NameNode based on file permissions – Access Control Lists (ACLs) of users and groups.
4) Delegation tokens are used in communication with the NameNode for subsequent authenticated access without using the Kerberos Server.
5) When access to Data Blocks was needed, the NameNode would make an access control decision based on HDFS file permissions and would issue Block access tokens (using HMAC-SHA1) that could be sent to the DataNode for block access requests.
6) Hadoop web consoles are configured to use HTTP SPNEGO Authentication, an implementation of Kerberos for web consoles.
7) Connections utilizing SASL can be configured to use a Quality of Protection (QoP) of confidential, enforcing encryption at the network level.