Return-Path: X-Original-To: apmail-accumulo-notifications-archive@minotaur.apache.org Delivered-To: apmail-accumulo-notifications-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 171E3EBD0 for ; Thu, 28 Feb 2013 17:37:13 +0000 (UTC) Received: (qmail 96690 invoked by uid 500); 28 Feb 2013 17:37:13 -0000 Delivered-To: apmail-accumulo-notifications-archive@accumulo.apache.org Received: (qmail 96661 invoked by uid 500); 28 Feb 2013 17:37:13 -0000 Mailing-List: contact notifications-help@accumulo.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: jira@apache.org Delivered-To: mailing list notifications@accumulo.apache.org Received: (qmail 96645 invoked by uid 99); 28 Feb 2013 17:37:12 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 28 Feb 2013 17:37:12 +0000 Date: Thu, 28 Feb 2013 17:37:12 +0000 (UTC) From: "Keith Turner (JIRA)" To: notifications@accumulo.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (ACCUMULO-1041) Generic interface for arbitrary token handling MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/ACCUMULO-1041?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13589692#comment-13589692 ] Keith Turner commented on ACCUMULO-1041: ---------------------------------------- bq. Any reconsiderations? If not, I would like to get started on this. Isn't Christopher working on this in the branch he created? > Generic interface for arbitrary token handling > ---------------------------------------------- > > Key: ACCUMULO-1041 > URL: https://issues.apache.org/jira/browse/ACCUMULO-1041 > Project: Accumulo > Issue Type: Sub-task > Components: client > Reporter: John Vines > Assignee: John Vines > Fix For: 1.5.0 > > > [~ctubbsii], [~kturner] and I hashed out details for best approach for generic tokens which should work both for our API and the proxy. > # Client requests the Authenticator class name > # Client creates instance of Authenticator, calls login(Properties) > # Properties are used to create the appropriate Token, which implements Writable, and return it to user. > # Client uses principal + Token with getConnector call > # Token is immediately serialized to be used within client api and packaged into a Credential object > # Credential gets sent to server via thrift > # Principal is checked, if !SYSTEM treated as a PasswordToken, otherwise deserialized as a class defined by the Authenticator (Writable's readFields method called on said class) > # Token us then passed through the SecurityOperations impl as well as the authenticator api. > This allows the authenticator API to use their requested tokens without confusion/code injection issues with deserialization happening for unknown token classes. > The exact same process for token creation can also be used by the Proxy, with a Map of properties being passed it to create a token on the proxy. > For backward support, the ZKAuthenticator will expect a PasswordToken, which is simply a byte array. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira