kudu-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From aw...@apache.org
Subject [kudu] 02/02: docs: adjust ordering of security docs
Date Sun, 30 Jun 2019 21:47:28 GMT
This is an automated email from the ASF dual-hosted git repository.

awong pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/kudu.git

commit 5c652defff422f908dacc11011dc6ae59bf49be5
Author: Andrew Wong <awong@apache.org>
AuthorDate: Wed Jun 26 11:38:12 2019 -0700

    docs: adjust ordering of security docs
    
    The "Scalability" section discusses the scalability of Kudu's
    authentication story, so I put it in the "Authentication" section.
    
    Coarse-grained authorization also seems to follow authentication
    naturally, so I moved the "Coarse-Grained Authorization" section up to
    be right after the "Authentication" section.
    
    Change-Id: I98d7b9c42de663e6613ab48d9201bfabe217d7e9
    Reviewed-on: http://gerrit.cloudera.org:8080/13758
    Tested-by: Kudu Jenkins
    Reviewed-by: Hao Hao <hao.hao@cloudera.com>
    Reviewed-by: Grant Henke <granthenke@apache.org>
---
 docs/security.adoc | 38 +++++++++++++++++++-------------------
 1 file changed, 19 insertions(+), 19 deletions(-)

diff --git a/docs/security.adoc b/docs/security.adoc
index dcb82d6..18d2d7a 100644
--- a/docs/security.adoc
+++ b/docs/security.adoc
@@ -112,7 +112,7 @@ $ kinit admin@EXAMPLE-REALM.COM
 Once authenticated, you use the same client code to read from and write to Kudu
 servers with and without Kerberos configuration.
 
-== Scalability
+=== Scalability
 
 Kudu authentication is designed to scale to thousands of nodes, which requires
 avoiding unnecessary coordination with a central authentication authority (such
@@ -121,24 +121,6 @@ establish initial trust with the Kudu master, and then use alternate
credentials
 for subsequent connections. In particular, the master will issue internal
 X.509 certificates to servers, and temporary authentication tokens to clients.
 
-== Encryption
-
-Kudu allows all communications among servers and between clients and servers
-to be encrypted with TLS.
-
-Encryption can be configured on Kudu servers using the `--rpc_encryption` flag,
-which can be set to `required`, `optional`, or `disabled`. By default, the flag
-is set to `optional`. When `required`, Kudu will reject unencrypted connections.
-When `optional`, Kudu will attempt to use encryption. Same as authentication,
-when `disabled` or encryption fails for `optional`, Kudu will only allow
-unencrypted connections from trusted subnets and reject any unencrypted connections
-from publicly routable IPs. To secure a cluster, use `--rpc_encryption=required`.
-
-NOTE: Kudu will automatically turn off encryption on local loopback connections,
-since traffic from these connections is never exposed externally. This allows
-locality-aware compute frameworks like Spark and Impala to avoid encryption
-overhead, while still ensuring data confidentiality.
-
 == Coarse-Grained Authorization
 
 Kudu supports coarse-grained authorization of client requests based on the
@@ -169,6 +151,24 @@ to only those users who are able to successfully authenticate via Kerberos.
 Unauthenticated users on the same network as the Kudu servers will be unable
 to access the cluster.
 
+== Encryption
+
+Kudu allows all communications among servers and between clients and servers
+to be encrypted with TLS.
+
+Encryption can be configured on Kudu servers using the `--rpc_encryption` flag,
+which can be set to `required`, `optional`, or `disabled`. By default, the flag
+is set to `optional`. When `required`, Kudu will reject unencrypted connections.
+When `optional`, Kudu will attempt to use encryption. Same as authentication,
+when `disabled` or encryption fails for `optional`, Kudu will only allow
+unencrypted connections from trusted subnets and reject any unencrypted connections
+from publicly routable IPs. To secure a cluster, use `--rpc_encryption=required`.
+
+NOTE: Kudu will automatically turn off encryption on local loopback connections,
+since traffic from these connections is never exposed externally. This allows
+locality-aware compute frameworks like Spark and Impala to avoid encryption
+overhead, while still ensuring data confidentiality.
+
 [[web-ui]]
 == Web UI Encryption
 


Mime
View raw message