Return-Path: X-Original-To: apmail-accumulo-user-archive@www.apache.org Delivered-To: apmail-accumulo-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 2909C175D9 for ; Tue, 21 Oct 2014 18:58:21 +0000 (UTC) Received: (qmail 72608 invoked by uid 500); 21 Oct 2014 18:58:21 -0000 Delivered-To: apmail-accumulo-user-archive@accumulo.apache.org Received: (qmail 72558 invoked by uid 500); 21 Oct 2014 18:58:20 -0000 Mailing-List: contact user-help@accumulo.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@accumulo.apache.org Delivered-To: mailing list user@accumulo.apache.org Received: (qmail 72547 invoked by uid 99); 21 Oct 2014 18:58:20 -0000 Received: from mx1-us-east.apache.org (HELO mx1-us-east.apache.org) (54.164.171.186) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 21 Oct 2014 18:58:20 +0000 Received: from mx1-us-east.apache.org (localhost [127.0.0.1]) by mx1-us-east.apache.org (ASF Mail Server at mx1-us-east.apache.org) with ESMTP id 7A78A43AE8 for ; Tue, 21 Oct 2014 18:58:40 +0000 (UTC) Received: by mx1-us-east.apache.org (ASF Mail Server at mx1-us-east.apache.org, from userid 111) id 6FE5F43C2E; Tue, 21 Oct 2014 18:58:40 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mx1-us-east.apache.org X-Spam-Level: X-Spam-Status: No, score=-0.7 required=10.0 tests=RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_PASS,T_DKIM_INVALID autolearn=disabled version=3.4.0 Received: from mail-qa0-f44.google.com (mail-qa0-f44.google.com [209.85.216.44]) by mx1-us-east.apache.org (ASF Mail Server at mx1-us-east.apache.org) with ESMTPS id B880E43AE8 for ; Tue, 21 Oct 2014 18:58:39 +0000 (UTC) Received: by mail-qa0-f44.google.com with SMTP id x12so1322950qac.31 for ; Tue, 21 Oct 2014 11:58:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=GnXAWi8l8XsPflV95QPh/jODGe9N9CEHvgvTyXxz9VQ=; b=KLAk6/sn5CrvS1NsEtzYYg2A55e+gzWnZBx95+vbR7S6pmdhbW1wgrCdUpf4mjHJQn DRNkgvMhE3utYLQ1evCLuhxqchhdAfZ59wG3vlkoxitF7YD3UjgwP4/EbsK31P1R2L+P eekj9Ww1SGdGnEQkMC+mp4GyyB3J2h4vHkZnVY4aM1Tl9CengSMZjUb2ZjQvMDVnfHaS 3i0D9QH8FlUhRAAUWcvLGlm/mOZP5YG23rdo4x6cZnqwEigO/Y0i+HCxHPWeVOESPQf4 st8dUFXKsdyBMeil0SoM5VsnOYym/+Y8zmJV2Zlzf4Snm2ajG+IHo9nrj0gwKUnXeZA5 Re4A== X-Received: by 10.229.252.196 with SMTP id mx4mr13734294qcb.4.1413917892646; Tue, 21 Oct 2014 11:58:12 -0700 (PDT) Received: from HW10447.local (pool-173-59-224-228.bltmmd.fios.verizon.net. [173.59.224.228]) by mx.google.com with ESMTPSA id g51sm11394794qge.18.2014.10.21.11.58.11 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 21 Oct 2014 11:58:12 -0700 (PDT) Message-ID: <5446ACC2.9070800@gmail.com> Date: Tue, 21 Oct 2014 14:58:10 -0400 From: Josh Elser User-Agent: Postbox 3.0.11 (Macintosh/20140602) MIME-Version: 1.0 To: user@accumulo.apache.org Subject: Re: Correct usage of delegation tokens in Accumulo/Kerberization? References: In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV using ClamSMTP There's isn't any tie right now between our Accumulo AuthenticationToken and the Kerberos ticket that your client would need to interact with HDFS/YARN/etc. Right now, you'd have to have both a TGT and some credentials for your client to connect against Accumulo. The other impls should be able to pull the TGT out of your credentials cache. This is something I realized recently that we need to improve. It's on my radar if no one else beats me to the punch.. Ed Kohlwey wrote: > If I am writing a job that needs to access Accumulo, is there a way to > use the pluggable authentication system to do so "the right way" via > delegation tokens? Unlike Hadoop, YARN, and Hive, I can find no > reference to a delegation token system in the current accumulo sources. > It looks like there were some commits a long time ago from John Vines > where he created something called KerberosToken, but it looks like its > gone now. > > What is the intended interaction pattern? Is there a way to do this sort > of thing without using PasswordToken and passing your password all over > the place?