accumulo-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Josh Elser (JIRA)" <>
Subject [jira] [Commented] (ACCUMULO-3452) Add SASL support to thrift proxy
Date Tue, 20 Jan 2015 20:35:34 GMT


Josh Elser commented on ACCUMULO-3452:

Ok, I have an idea of what to do. Presently, we assert that the Accumulo principal always
matches the SASL (Kerberos) principal from the Thrift transport. This was done just as a sanity
check because we always expected users to be acting as themselves. After we set up the connection
and start invoking whatever thrift server implementation (e.g. ThriftClientHandler), we're
doing all of the work as the "accumulo" user and just using (Accumulo) principal from the
RPC arguments to identify the name of the Accumulo user we're acting as.

This lines up with what Hadoop, HBase and others are doing: we specify extra configuration
which allows a specific user the ability to impersonate another user. Thus, the check which
previously killed any RPC where the Accumulo principal didn't equal the SASL principal, we
allow those through in the specific case where they match this impersonation configuration
criteria. The authentication for the low-level RPC is still done as a single user, but we
can act as a specific Accumulo user.

> Add SASL support to thrift proxy
> --------------------------------
>                 Key: ACCUMULO-3452
>                 URL:
>             Project: Accumulo
>          Issue Type: Sub-task
>          Components: proxy
>            Reporter: Josh Elser
>            Assignee: Josh Elser
>             Fix For: 1.7.0
> The thrift proxy doesn't leverage TServerUtils (and instead creates a THsHaServer by
hand). This means it won't automatically create the correct thrift server (also the reason
it doesn't support SSL).

This message was sent by Atlassian JIRA

View raw message