[
https://issues.apache.org/jira/browse/ACCUMULO-4306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15278260#comment-15278260
]
Christopher Tubbs commented on ACCUMULO-4306:
---------------------------------------------
I'm in favor of separating the security measures in Accumulo from being reliant
on particular security measures in its dependent components. I like that
Accumulo Kerberos works in conjunction with Hadoop Kerberos, but I can also see
value in Accumulo Kerberos being enabled, regardless of Hadoop (or whatever
might be used in place of Hadoop for Accumulo's underlying storage). If
Accumulo's storage encryption were a bit more robust, Accumulo wouldn't have to
trust the security of the DFS layer.
> Support Kerberos authentication terminating at Accumulo
> -------------------------------------------------------
>
> Key: ACCUMULO-4306
> URL: https://issues.apache.org/jira/browse/ACCUMULO-4306
> Project: Accumulo
> Issue Type: Improvement
> Components: core, rpc
> Reporter: William Slacum
> Assignee: William Slacum
> Labels: authentication, kerberos
> Fix For: 1.8.0
>
>
> We currently support Kerberos authentication via SASL+GSSAPI. Due to an
> implementation detail, turning it on requires also enabling Kerberos for HDFS.
> This ticket proposes changing the implementation to avoid needing to turn on
> Kerberos authentication for HDFS, but still (optionally) using it. Mostly, I
> think this boils down to replacing uses of {{UserGroupInformation}} with
> {{Subject}} references. There are couple places (specifically around creating
> delegation tokens for use with a Kerberos-enabled Hadoop cluster) where
> `UserGroupInformation` may need to stick around.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
