Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 9E7CA200AC0 for ; Mon, 9 May 2016 19:10:14 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 9D7791609A8; Mon, 9 May 2016 17:10:14 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id EE9A916099C for ; Mon, 9 May 2016 19:10:13 +0200 (CEST) Received: (qmail 80393 invoked by uid 500); 9 May 2016 17:10:13 -0000 Mailing-List: contact notifications-help@accumulo.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: jira@apache.org Delivered-To: mailing list notifications@accumulo.apache.org Received: (qmail 80373 invoked by uid 99); 9 May 2016 17:10:13 -0000 Received: from arcas.apache.org (HELO arcas) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 09 May 2016 17:10:13 +0000 Received: from arcas.apache.org (localhost [127.0.0.1]) by arcas (Postfix) with ESMTP id E1E092C1F5C for ; Mon, 9 May 2016 17:10:12 +0000 (UTC) Date: Mon, 9 May 2016 17:10:12 +0000 (UTC) From: "William Slacum (JIRA)" To: notifications@accumulo.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (ACCUMULO-4306) Support Kerberos authentication terminating at Accumulo MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Mon, 09 May 2016 17:10:14 -0000 [ https://issues.apache.org/jira/browse/ACCUMULO-4306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15276636#comment-15276636 ] William Slacum commented on ACCUMULO-4306: ------------------------------------------ There are some circumstances I find myself in that makes me want this: - HDFS is being used in a multi-tenant environment. Other tenants either don't require Kerberos, or wouldn't want to use it (for whatever reason, good or bad). - HDFS isn't being exposed to an external network. I also hope that this move enables us to make more authentication schemes pluggable via SASL (currently we only do DIGEST-MD5 and GSSAPI), as we won't be dependent on Hadoop to provide our security mechanisms for clients. > Support Kerberos authentication terminating at Accumulo > ------------------------------------------------------- > > Key: ACCUMULO-4306 > URL: https://issues.apache.org/jira/browse/ACCUMULO-4306 > Project: Accumulo > Issue Type: Improvement > Components: core, rpc > Reporter: William Slacum > Assignee: William Slacum > Labels: authentication, kerberos > Fix For: 1.8.0 > > > We currently support Kerberos authentication via SASL+GSSAPI. Due to an implementation detail, turning it on requires also enabling Kerberos for HDFS. > This ticket proposes changing the implementation to avoid needing to turn on Kerberos authentication for HDFS, but still (optionally) using it. Mostly, I think this boils down to replacing uses of {{UserGroupInformation}} with {{Subject}} references. There are couple places (specifically around creating delegation tokens for use with a Kerberos-enabled Hadoop cluster) where `UserGroupInformation` may need to stick around. -- This message was sent by Atlassian JIRA (v6.3.4#6332)