accumulo-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sean Busbey (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ACCUMULO-4306) Support Kerberos authentication terminating at Accumulo
Date Wed, 11 May 2016 20:44:13 GMT

    [ https://issues.apache.org/jira/browse/ACCUMULO-4306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15280795#comment-15280795
] 

Sean Busbey commented on ACCUMULO-4306:
---------------------------------------

{quote}
Would an update to our documentation/user manual that outlines the consequences of security
configurations (both current and those as a result of this ticket) help sway you one way or
the other? I think there's already gaps in our current capabilities now that are undocumented,
and this would just add more unknown variables. Specifically you've mentioned reading backing
files, but there are other concerns from Accumulo's perspective (such as user authorizations)
that are a separate class of protection mechanisms which I'm also trying to consider.
{quote}

Yes, this would help. HDFS without kerberos enabled is a pretty big red flashing light in
my experience, so it would especially help me evaluate the delta we're talking about for likely
my-first-cluster misconfigurations.

> Support Kerberos authentication terminating at Accumulo
> -------------------------------------------------------
>
>                 Key: ACCUMULO-4306
>                 URL: https://issues.apache.org/jira/browse/ACCUMULO-4306
>             Project: Accumulo
>          Issue Type: Improvement
>          Components: core, rpc
>            Reporter: William Slacum
>            Assignee: William Slacum
>              Labels: authentication, kerberos
>             Fix For: 1.8.0
>
>
> We currently support Kerberos authentication via SASL+GSSAPI. Due to an implementation
detail, turning it on requires also enabling Kerberos for HDFS.
> This ticket proposes changing the implementation to avoid needing to turn on Kerberos
authentication for HDFS, but still (optionally) using it. Mostly, I think this boils down
to replacing uses of {{UserGroupInformation}} with {{Subject}} references. There are couple
places (specifically around creating delegation tokens for use with a Kerberos-enabled Hadoop
cluster) where `UserGroupInformation` may need to stick around.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message