hawq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dyozie <...@git.apache.org>
Subject [GitHub] incubator-hawq-docs pull request #132: add support for active directory KDC ...
Date Thu, 26 Oct 2017 19:21:32 GMT
Github user dyozie commented on a diff in the pull request:

    --- Diff: markdown/clientaccess/kerberos-userauth.html.md.erb ---
    @@ -0,0 +1,459 @@
    +title: Configuring Kerberos User Authentication for HAWQ
    +Licensed to the Apache Software Foundation (ASF) under one
    +or more contributor license agreements.  See the NOTICE file
    +distributed with this work for additional information
    +regarding copyright ownership.  The ASF licenses this file
    +to you under the Apache License, Version 2.0 (the
    +"License"); you may not use this file except in compliance
    +with the License.  You may obtain a copy of the License at
    +  http://www.apache.org/licenses/LICENSE-2.0
    +Unless required by applicable law or agreed to in writing,
    +software distributed under the License is distributed on an
    +KIND, either express or implied.  See the License for the
    +specific language governing permissions and limitations
    +under the License.
    +When Kerberos authentication is enabled at the user level, HAWQ uses the Generic Security
Service Application Program Interface \(GSSAPI\) to provide automatic authentication \(single
sign-on\). When HAWQ uses Kerberos user authentication, HAWQ itself and the HAWQ users \(roles\)
that require Kerberos authentication require a principal and keytab. When a user attempts
to log in to HAWQ, HAWQ uses its Kerberos principal to connect to the Kerberos server, and
presents the user's principal for Kerberos validation. If the user principal is valid, login
succeeds and the user can access HAWQ. Conversely, the login fails and HAWQ denies access
to the user if the principal is not valid.
    +When HAWQ utilizes Kerberos for user authentication, it uses a standard principal to
connect to the Kerberos KDC. The format of this principal is `postgres/<FQDN_of_master>@<realm>`,
where \<FQDN\_of\_master\> refers to the fully qualified distinguish name of the HAWQ
master node.
    --- End diff --
    "When HAWQ utilizes Kerberos for user authentication, it uses a single HAWQ server principal
to connect to the Kerberos KDC. The format of the HAWQ server principal is ..."


View raw message