accumulo-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William Slacum (JIRA)" <>
Subject [jira] [Commented] (ACCUMULO-4306) Support Kerberos authentication terminating at Accumulo
Date Mon, 09 May 2016 17:10:12 GMT


William Slacum commented on ACCUMULO-4306:

There are some circumstances I find myself in that makes me want this:

- HDFS is being used in a multi-tenant environment. Other tenants either don't require Kerberos,
or wouldn't want to use it (for whatever reason, good or bad).
- HDFS isn't being exposed to an external network.

I also hope that this move enables us to make more authentication schemes pluggable via SASL
(currently we only do DIGEST-MD5 and GSSAPI), as we won't be dependent on Hadoop to provide
our security mechanisms for clients.

> Support Kerberos authentication terminating at Accumulo
> -------------------------------------------------------
>                 Key: ACCUMULO-4306
>                 URL:
>             Project: Accumulo
>          Issue Type: Improvement
>          Components: core, rpc
>            Reporter: William Slacum
>            Assignee: William Slacum
>              Labels: authentication, kerberos
>             Fix For: 1.8.0
> We currently support Kerberos authentication via SASL+GSSAPI. Due to an implementation
detail, turning it on requires also enabling Kerberos for HDFS.
> This ticket proposes changing the implementation to avoid needing to turn on Kerberos
authentication for HDFS, but still (optionally) using it. Mostly, I think this boils down
to replacing uses of {{UserGroupInformation}} with {{Subject}} references. There are couple
places (specifically around creating delegation tokens for use with a Kerberos-enabled Hadoop
cluster) where `UserGroupInformation` may need to stick around.

This message was sent by Atlassian JIRA

View raw message