accumulo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Josh Elser <josh.el...@gmail.com>
Subject Re: Correct usage of delegation tokens in Accumulo/Kerberization?
Date Tue, 21 Oct 2014 18:58:10 GMT
There's isn't any tie right now between our Accumulo AuthenticationToken 
and the Kerberos ticket that your client would need to interact with 
HDFS/YARN/etc.

Right now, you'd have to have both a TGT and some credentials for your 
client to connect against Accumulo. The other impls should be able to 
pull the TGT out of your credentials cache.

This is something I realized recently that we need to improve. It's on 
my radar if no one else beats me to the punch..

Ed Kohlwey wrote:
> If I am writing a job that needs to access Accumulo, is there a way to
> use the pluggable authentication system to do so "the right way" via
> delegation tokens? Unlike Hadoop, YARN, and Hive, I can find no
> reference to a delegation token system in the current accumulo sources.
> It looks like there were some commits a long time ago from John Vines
> where he created something called KerberosToken, but it looks like its
> gone now.
>
> What is the intended interaction pattern? Is there a way to do this sort
> of thing without using PasswordToken and passing your password all over
> the place?

Mime
View raw message