accumulo-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [4/4] accumulo git commit: ACCUMULO-3452 Add user manual documentation on impersonation
Date Wed, 21 Jan 2015 23:36:53 GMT
ACCUMULO-3452 Add user manual documentation on impersonation


Branch: refs/heads/master
Commit: ef6042fc5ef55385d35688a029e854d08976c60e
Parents: 98ced20
Author: Josh Elser <>
Authored: Wed Jan 21 18:36:11 2015 -0500
Committer: Josh Elser <>
Committed: Wed Jan 21 18:36:11 2015 -0500

 docs/src/main/asciidoc/chapters/kerberos.txt | 36 +++++++++++++++++++++++
 1 file changed, 36 insertions(+)
diff --git a/docs/src/main/asciidoc/chapters/kerberos.txt b/docs/src/main/asciidoc/chapters/kerberos.txt
index 3dcac6d..05d7384 100644
--- a/docs/src/main/asciidoc/chapters/kerberos.txt
+++ b/docs/src/main/asciidoc/chapters/kerberos.txt
@@ -184,6 +184,42 @@ something similar to the following in the application log.
 2015-01-07 11:57:56,830 [security.UserGroupInformation] INFO : Login successful for user
accumulo/hostname@EXAMPLE.COM using keytab file /etc/security/keytabs/accumulo.service.keytab
+===== Impersonation
+Impersonation is functionality which allows a certain user to act as another. One direct
+of this concept within Accumulo is the Thrift proxy. The Thrift proxy is configured to accept
+user requests and pass them onto Accumulo, enabling client access to Accumulo via any thrift-compatible
+language. When the proxy is running with SASL transports, this enforces that clients present
a valid
+Kerberos identity to make a connection. In this situation, the Thrift proxy server does not
+access to the secret key material in order to make a secure connection to Accumulo as the
+it can only connect to Accumulo as itself. Impersonation, in this context, refers to the
+of the proxy to authenticate to Accumulo as itself, but act on behalf of an Accumulo user.
+Accumulo supports basic impersonation of end-users by a third party via static rules in Accumulo's
+site configuration file.
+  <name>instance.rpc.sasl.impersonation.$PROXY_USER.users</name>
+  <value>*</value>
+  <name>instance.rpc.sasl.impersonation.$PROXY_USER.hosts</name>
+  <value>*</value>
+The value +$PROXY_USER+ is the Kerberos principal of the server which is acting on behalf
of a user.
+Impersonation is enforced by the Kerberos principal and the host from which the RPC originated.
+of the above properties expects values which are comma-separated lists. The value of each
user in the
+list should be the complete Kerberos principal of the user which the give +$PROXY_USER+ can
+and each value of the hosts list should be the FQDN of the machine which the +$PROXY_USER+
can submit
+requests from.
+Both the hosts and users configuration properties also accept a value of +*+ to denote that
any user or host
+is acceptable for +$PROXY_USER+.
 ==== Clients
 ===== Create client principal

View raw message