accumulo-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Josh Elser (JIRA)" <>
Subject [jira] [Commented] (ACCUMULO-4306) Support Kerberos authentication terminating at Accumulo
Date Tue, 10 May 2016 03:40:12 GMT


Josh Elser commented on ACCUMULO-4306:

bq. Would an update to our documentation/user manual that outlines the
consequences of security configurations (both current and those as a result
of this ticket) help sway you one way or the other? I think there's already
gaps in our current capabilities now that are undocumented, and this would
just add more unknown variables

This would be rad if you could do this. I'd be more than happy to help out
too (since most of the current docs are probably of my pen's creation).
Sounds like it would also be useful for this discussion too (</selfish>).

> Support Kerberos authentication terminating at Accumulo
> -------------------------------------------------------
>                 Key: ACCUMULO-4306
>                 URL:
>             Project: Accumulo
>          Issue Type: Improvement
>          Components: core, rpc
>            Reporter: William Slacum
>            Assignee: William Slacum
>              Labels: authentication, kerberos
>             Fix For: 1.8.0
> We currently support Kerberos authentication via SASL+GSSAPI. Due to an implementation
detail, turning it on requires also enabling Kerberos for HDFS.
> This ticket proposes changing the implementation to avoid needing to turn on Kerberos
authentication for HDFS, but still (optionally) using it. Mostly, I think this boils down
to replacing uses of {{UserGroupInformation}} with {{Subject}} references. There are couple
places (specifically around creating delegation tokens for use with a Kerberos-enabled Hadoop
cluster) where `UserGroupInformation` may need to stick around.

This message was sent by Atlassian JIRA

View raw message