[
https://issues.apache.org/jira/browse/ACCUMULO-3452?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14284361#comment-14284361
]
Josh Elser commented on ACCUMULO-3452:
--------------------------------------
Ok, I have an idea of what to do. Presently, we assert that the Accumulo
principal always matches the SASL (Kerberos) principal from the Thrift
transport. This was done just as a sanity check because we always expected
users to be acting as themselves. After we set up the connection and start
invoking whatever thrift server implementation (e.g. ThriftClientHandler),
we're doing all of the work as the "accumulo" user and just using (Accumulo)
principal from the RPC arguments to identify the name of the Accumulo user
we're acting as.
This lines up with what Hadoop, HBase and others are doing: we specify extra
configuration which allows a specific user the ability to impersonate another
user. Thus, the check which previously killed any RPC where the Accumulo
principal didn't equal the SASL principal, we allow those through in the
specific case where they match this impersonation configuration criteria. The
authentication for the low-level RPC is still done as a single user, but we can
act as a specific Accumulo user.
> Add SASL support to thrift proxy
> --------------------------------
>
> Key: ACCUMULO-3452
> URL: https://issues.apache.org/jira/browse/ACCUMULO-3452
> Project: Accumulo
> Issue Type: Sub-task
> Components: proxy
> Reporter: Josh Elser
> Assignee: Josh Elser
> Fix For: 1.7.0
>
>
> The thrift proxy doesn't leverage TServerUtils (and instead creates a
> THsHaServer by hand). This means it won't automatically create the correct
> thrift server (also the reason it doesn't support SSL).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
