accumulo-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From els...@apache.org
Subject [4/4] accumulo git commit: ACCUMULO-3452 Add user manual documentation on impersonation
Date Wed, 21 Jan 2015 23:36:53 GMT
ACCUMULO-3452 Add user manual documentation on impersonation


Project: http://git-wip-us.apache.org/repos/asf/accumulo/repo
Commit: http://git-wip-us.apache.org/repos/asf/accumulo/commit/ef6042fc
Tree: http://git-wip-us.apache.org/repos/asf/accumulo/tree/ef6042fc
Diff: http://git-wip-us.apache.org/repos/asf/accumulo/diff/ef6042fc

Branch: refs/heads/master
Commit: ef6042fc5ef55385d35688a029e854d08976c60e
Parents: 98ced20
Author: Josh Elser <elserj@apache.org>
Authored: Wed Jan 21 18:36:11 2015 -0500
Committer: Josh Elser <elserj@apache.org>
Committed: Wed Jan 21 18:36:11 2015 -0500

----------------------------------------------------------------------
 docs/src/main/asciidoc/chapters/kerberos.txt | 36 +++++++++++++++++++++++
 1 file changed, 36 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/accumulo/blob/ef6042fc/docs/src/main/asciidoc/chapters/kerberos.txt
----------------------------------------------------------------------
diff --git a/docs/src/main/asciidoc/chapters/kerberos.txt b/docs/src/main/asciidoc/chapters/kerberos.txt
index 3dcac6d..05d7384 100644
--- a/docs/src/main/asciidoc/chapters/kerberos.txt
+++ b/docs/src/main/asciidoc/chapters/kerberos.txt
@@ -184,6 +184,42 @@ something similar to the following in the application log.
 2015-01-07 11:57:56,830 [security.UserGroupInformation] INFO : Login successful for user
accumulo/hostname@EXAMPLE.COM using keytab file /etc/security/keytabs/accumulo.service.keytab
 ----
 
+===== Impersonation
+
+Impersonation is functionality which allows a certain user to act as another. One direct
application
+of this concept within Accumulo is the Thrift proxy. The Thrift proxy is configured to accept
+user requests and pass them onto Accumulo, enabling client access to Accumulo via any thrift-compatible
+language. When the proxy is running with SASL transports, this enforces that clients present
a valid
+Kerberos identity to make a connection. In this situation, the Thrift proxy server does not
have
+access to the secret key material in order to make a secure connection to Accumulo as the
client,
+it can only connect to Accumulo as itself. Impersonation, in this context, refers to the
ability
+of the proxy to authenticate to Accumulo as itself, but act on behalf of an Accumulo user.
+
+Accumulo supports basic impersonation of end-users by a third party via static rules in Accumulo's
+site configuration file.
+
+----
+<property>
+  <name>instance.rpc.sasl.impersonation.$PROXY_USER.users</name>
+  <value>*</value>
+</property>
+
+<property>
+  <name>instance.rpc.sasl.impersonation.$PROXY_USER.hosts</name>
+  <value>*</value>
+</property>
+----
+
+The value +$PROXY_USER+ is the Kerberos principal of the server which is acting on behalf
of a user.
+Impersonation is enforced by the Kerberos principal and the host from which the RPC originated.
Both
+of the above properties expects values which are comma-separated lists. The value of each
user in the
+list should be the complete Kerberos principal of the user which the give +$PROXY_USER+ can
impersonate,
+and each value of the hosts list should be the FQDN of the machine which the +$PROXY_USER+
can submit
+requests from.
+
+Both the hosts and users configuration properties also accept a value of +*+ to denote that
any user or host
+is acceptable for +$PROXY_USER+.
+
 ==== Clients
 
 ===== Create client principal


Mime
View raw message