mit kerberos
Session-key-based authenticator service. Hadoop extends it with delegation tokens - signet rings that you can give services to allow them to prove the legitimacy of their communications on your behalf to other services.
It's ancient and clunky and the documentation for it is also ancient and clunky. we love it deeply because hatred is not an option at this time.