accumulo-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Christopher Tubbs (JIRA)" <>
Subject [jira] [Commented] (ACCUMULO-4306) Support Kerberos authentication terminating at Accumulo
Date Tue, 10 May 2016 15:20:12 GMT


Christopher Tubbs commented on ACCUMULO-4306:

I'm in favor of separating the security measures in Accumulo from being reliant on particular
security measures in its dependent components. I like that Accumulo Kerberos works in conjunction
with Hadoop Kerberos, but I can also see value in Accumulo Kerberos being enabled, regardless
of Hadoop (or whatever might be used in place of Hadoop for Accumulo's underlying storage).
If Accumulo's storage encryption were a bit more robust, Accumulo wouldn't have to trust the
security of the DFS layer.

> Support Kerberos authentication terminating at Accumulo
> -------------------------------------------------------
>                 Key: ACCUMULO-4306
>                 URL:
>             Project: Accumulo
>          Issue Type: Improvement
>          Components: core, rpc
>            Reporter: William Slacum
>            Assignee: William Slacum
>              Labels: authentication, kerberos
>             Fix For: 1.8.0
> We currently support Kerberos authentication via SASL+GSSAPI. Due to an implementation
detail, turning it on requires also enabling Kerberos for HDFS.
> This ticket proposes changing the implementation to avoid needing to turn on Kerberos
authentication for HDFS, but still (optionally) using it. Mostly, I think this boils down
to replacing uses of {{UserGroupInformation}} with {{Subject}} references. There are couple
places (specifically around creating delegation tokens for use with a Kerberos-enabled Hadoop
cluster) where `UserGroupInformation` may need to stick around.

This message was sent by Atlassian JIRA

View raw message