accumulo-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Josh Elser (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ACCUMULO-3452) Add SASL support to thrift proxy
Date Tue, 20 Jan 2015 19:47:34 GMT

    [ https://issues.apache.org/jira/browse/ACCUMULO-3452?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14284295#comment-14284295
] 

Josh Elser commented on ACCUMULO-3452:
--------------------------------------

So I didn't think this through entirely: given the current configuration, there's no way for
the thrift proxy to get KRB credentials from a client and perform some action against Accumulo
using them as this, by itself, would allow any user with credentials to act as another user.

Hadoop does have [some precedent|http://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/SecureMode.html#Proxy_user]
here that we might be able to adopt and leverage that restricts the users which are allowed
to impersonate another.

> Add SASL support to thrift proxy
> --------------------------------
>
>                 Key: ACCUMULO-3452
>                 URL: https://issues.apache.org/jira/browse/ACCUMULO-3452
>             Project: Accumulo
>          Issue Type: Sub-task
>          Components: proxy
>            Reporter: Josh Elser
>            Assignee: Josh Elser
>             Fix For: 1.7.0
>
>
> The thrift proxy doesn't leverage TServerUtils (and instead creates a THsHaServer by
hand). This means it won't automatically create the correct thrift server (also the reason
it doesn't support SSL).



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message