[jira] [Commented] (ACCUMULO-4306) Support Kerberos authentication terminating at Accumulo

Wed, 11 May 2016 13:44:57 -0700 

    [ 
https://issues.apache.org/jira/browse/ACCUMULO-4306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15280795#comment-15280795
 ] 

Sean Busbey commented on ACCUMULO-4306:
---------------------------------------

{quote}
Would an update to our documentation/user manual that outlines the consequences 
of security configurations (both current and those as a result of this ticket) 
help sway you one way or the other? I think there's already gaps in our current 
capabilities now that are undocumented, and this would just add more unknown 
variables. Specifically you've mentioned reading backing files, but there are 
other concerns from Accumulo's perspective (such as user authorizations) that 
are a separate class of protection mechanisms which I'm also trying to consider.
{quote}

Yes, this would help. HDFS without kerberos enabled is a pretty big red 
flashing light in my experience, so it would especially help me evaluate the 
delta we're talking about for likely my-first-cluster misconfigurations.

> Support Kerberos authentication terminating at Accumulo
> -------------------------------------------------------
>
>                 Key: ACCUMULO-4306
>                 URL: https://issues.apache.org/jira/browse/ACCUMULO-4306
>             Project: Accumulo
>          Issue Type: Improvement
>          Components: core, rpc
>            Reporter: William Slacum
>            Assignee: William Slacum
>              Labels: authentication, kerberos
>             Fix For: 1.8.0
>
>
> We currently support Kerberos authentication via SASL+GSSAPI. Due to an 
> implementation detail, turning it on requires also enabling Kerberos for HDFS.
> This ticket proposes changing the implementation to avoid needing to turn on 
> Kerberos authentication for HDFS, but still (optionally) using it. Mostly, I 
> think this boils down to replacing uses of {{UserGroupInformation}} with 
> {{Subject}} references. There are couple places (specifically around creating 
> delegation tokens for use with a Kerberos-enabled Hadoop cluster) where 
> `UserGroupInformation` may need to stick around.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to