[
https://issues.apache.org/jira/browse/ACCUMULO-4306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15276636#comment-15276636
]
William Slacum commented on ACCUMULO-4306:
------------------------------------------
There are some circumstances I find myself in that makes me want this:
- HDFS is being used in a multi-tenant environment. Other tenants either don't
require Kerberos, or wouldn't want to use it (for whatever reason, good or bad).
- HDFS isn't being exposed to an external network.
I also hope that this move enables us to make more authentication schemes
pluggable via SASL (currently we only do DIGEST-MD5 and GSSAPI), as we won't be
dependent on Hadoop to provide our security mechanisms for clients.
> Support Kerberos authentication terminating at Accumulo
> -------------------------------------------------------
>
> Key: ACCUMULO-4306
> URL: https://issues.apache.org/jira/browse/ACCUMULO-4306
> Project: Accumulo
> Issue Type: Improvement
> Components: core, rpc
> Reporter: William Slacum
> Assignee: William Slacum
> Labels: authentication, kerberos
> Fix For: 1.8.0
>
>
> We currently support Kerberos authentication via SASL+GSSAPI. Due to an
> implementation detail, turning it on requires also enabling Kerberos for HDFS.
> This ticket proposes changing the implementation to avoid needing to turn on
> Kerberos authentication for HDFS, but still (optionally) using it. Mostly, I
> think this boils down to replacing uses of {{UserGroupInformation}} with
> {{Subject}} references. There are couple places (specifically around creating
> delegation tokens for use with a Kerberos-enabled Hadoop cluster) where
> `UserGroupInformation` may need to stick around.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
