[jira] [Commented] (ACCUMULO-3513) Ensure MapReduce functionality with Kerberos enabled

Tue, 27 Jan 2015 15:08:52 -0800 

    [ 
https://issues.apache.org/jira/browse/ACCUMULO-3513?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14294382#comment-14294382
 ] 

Josh Elser commented on ACCUMULO-3513:
--------------------------------------

I'm still unclear of how you think this prevents unwanted impersonation from 
happening. For mapreduce, the only time that we "know" who a client is happens 
when they submit the job. We need to tie the fact that the client is who they 
say they are (from their kerberos credentials) and construct a way to let node 
managers who no longer have any idea what the job-submitter's credentials are 
(this is the notion of the delegation token from HDFS and others).

In your example, we would have to trust that each and every mapreduce job in 
the system is going to "do the right thing" and not impersonate users they 
shouldn't which isn't sufficient for a solution. We can do much better by 
taking the delegation token approach.

> Ensure MapReduce functionality with Kerberos enabled
> ----------------------------------------------------
>
>                 Key: ACCUMULO-3513
>                 URL: https://issues.apache.org/jira/browse/ACCUMULO-3513
>             Project: Accumulo
>          Issue Type: Bug
>          Components: client
>            Reporter: Josh Elser
>            Assignee: Josh Elser
>            Priority: Blocker
>             Fix For: 1.7.0
>
>
> I talked to [~devaraj] today about MapReduce support running on secure Hadoop 
> to help get a picture about what extra might be needed to make this work.
> Generally, in Hadoop and HBase, the client must have valid credentials to 
> submit a job, then the notion of delegation tokens is used by for further 
> communication since the servers do not have access to the client's sensitive 
> information. A centralized service manages creation of a delegation token 
> which is a record which contains certain information (such as the submitting 
> user name) necessary to securely identify the holder of the delegation token.
> The general idea is that we would need to build support into the master to 
> manage delegation tokens to node managers to acquire and use to run jobs. 
> Hadoop and HBase both contain code which implements this general idea, but we 
> will need to apply them Accumulo and verify that it is M/R jobs still work on 
> a kerberized environment.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to