accumulo-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Josh Elser (JIRA)" <>
Subject [jira] [Commented] (ACCUMULO-2815) Kerberos authentication for clients
Date Tue, 13 Jan 2015 17:40:35 GMT


Josh Elser commented on ACCUMULO-2815:

I plan to commit this today (see reviewboard for the monstrous amount of discussion that's
gone on over the past month or so). I ran some benchmarks yesterday: 8core cpu (no HT), 32G
ram and 3 (decently fast) spinning disks (single node with only one tserver):

||Metric||Unsecure/Normal||SASL w/ auth||SASL w/ auth-int||SASL w/ auth-conf||

Each iteration is ingestion of 100M entries using continuous ingest. Table durability set
to "flush", 20 splits created at the start of each iteration, 6 minc and majc threads (each),
and split threshold of 4G.

I ran a bunch more iterations of unsecure/normal because it was consistently 5% faster than
SASL with 'auth' which shouldn't happen. Best as I know, there shouldn't be any reason why
SASL is faster. It's possible that the different thrift server actually improved things, but
that's the only plausible explanation that I have.

> Kerberos authentication for clients
> -----------------------------------
>                 Key: ACCUMULO-2815
>                 URL:
>             Project: Accumulo
>          Issue Type: Improvement
>          Components: client
>            Reporter: Josh Elser
>            Assignee: Josh Elser
>             Fix For: 1.7.0
> We have server authentication via Kerberos, but we don't have a way for clients to connect
to Accumulo using Kerberos.
> HBase context:
> We'll have to look into how Authorizations and Permissions are assigned to these users
and make sure the ZK-backed security mechanisms can still support this. It would be nice to
not have to make a completely separate auth/permission mechanism when kerberos is being used.
> As far as configuration, I imagine this would be a great fit for the often-proposed client-side
configuration idea.

This message was sent by Atlassian JIRA

View raw message