Return-Path: X-Original-To: apmail-accumulo-notifications-archive@minotaur.apache.org Delivered-To: apmail-accumulo-notifications-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 7B77417C69 for ; Wed, 4 Feb 2015 22:04:34 +0000 (UTC) Received: (qmail 24352 invoked by uid 500); 4 Feb 2015 22:04:35 -0000 Delivered-To: apmail-accumulo-notifications-archive@accumulo.apache.org Received: (qmail 24309 invoked by uid 500); 4 Feb 2015 22:04:35 -0000 Mailing-List: contact notifications-help@accumulo.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: jira@apache.org Delivered-To: mailing list notifications@accumulo.apache.org Received: (qmail 24294 invoked by uid 99); 4 Feb 2015 22:04:35 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 04 Feb 2015 22:04:35 +0000 Date: Wed, 4 Feb 2015 22:04:35 +0000 (UTC) From: "Christopher Tubbs (JIRA)" To: notifications@accumulo.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (ACCUMULO-3513) Ensure MapReduce functionality with Kerberos enabled MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/ACCUMULO-3513?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14306061#comment-14306061 ] Christopher Tubbs commented on ACCUMULO-3513: --------------------------------------------- {quote}Keytabs on disk should be protected by the filesystem. ... A little C program ... drops permissions ...{quote} What user does the task run as? If the effective UID is the same as its parent, the filesystem won't protect it. {quote}... it's expected that the delegation token is protected from prying eyes ...{quote} There seems to be a trade-off here, with competing goals. On the one hand, we need to make sure Accumulo doesn't give up data to an untrusted middle-man. And, on the other hand, MapReduce needs to avoid granting access to its credentials from an untrusted client (which Accumulo *does* trust). If only the ResourceManager *and* the client could authenticate with Accumulo first, then we could carry information about both of these things in the token used to authenticate to Accumulo in the actual task, then we could trust the middle-man (YARN task) *and* the client to be able to receive the data from Accumulo. > Ensure MapReduce functionality with Kerberos enabled > ---------------------------------------------------- > > Key: ACCUMULO-3513 > URL: https://issues.apache.org/jira/browse/ACCUMULO-3513 > Project: Accumulo > Issue Type: Bug > Components: client > Reporter: Josh Elser > Assignee: Josh Elser > Priority: Blocker > Fix For: 1.7.0 > > Attachments: ACCUMULO-3513-design.pdf > > > I talked to [~devaraj] today about MapReduce support running on secure Hadoop to help get a picture about what extra might be needed to make this work. > Generally, in Hadoop and HBase, the client must have valid credentials to submit a job, then the notion of delegation tokens is used by for further communication since the servers do not have access to the client's sensitive information. A centralized service manages creation of a delegation token which is a record which contains certain information (such as the submitting user name) necessary to securely identify the holder of the delegation token. > The general idea is that we would need to build support into the master to manage delegation tokens to node managers to acquire and use to run jobs. Hadoop and HBase both contain code which implements this general idea, but we will need to apply them Accumulo and verify that it is M/R jobs still work on a kerberized environment. -- This message was sent by Atlassian JIRA (v6.3.4#6332)