accumulo-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "John Vines (JIRA)" <>
Subject [jira] [Commented] (ACCUMULO-996) explore exposing accumulo token in proxy
Date Wed, 30 Jan 2013 20:29:12 GMT


John Vines commented on ACCUMULO-996:

The current API, as well as the proposed simplification, would support username/pass authentication
against LDAP or zookeeper, as well as using LDAP/zookeeper for authorization and permission
handling. Kerberos is a bit tricky, but it can be used in this structure as well, though it's
still vulnerable to replay (but not as loose as blasting username+password in the clear across
the wire). PKI can vary, as my understanding is that there's a variety of implementations
of it, some of which have a challenge/response built into the client server communications.
That would NOT be supported. But any system which involves challenge response with another
server to gain the token (like kerberos) should be functional so long as you can get away
from any machine specific bindings in the protocol (kerberos has something like this, but
it's possible to work around if we're only using it for authentication).

Having a connection factory is an interesting aspect, but it's something that will be necessitated
by additional research into some of the various pki implementations.
> explore exposing accumulo token in proxy
> ----------------------------------------
>                 Key: ACCUMULO-996
>                 URL:
>             Project: Accumulo
>          Issue Type: Sub-task
>          Components: proxy
>            Reporter: Keith Turner
>            Assignee: Eric Newton
>             Fix For: 1.5.0
> with the new security related changes for 1.5, do the new authentication mechanism need
to be exposed in the proxy?

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:

View raw message