Github user DaveBirdsall commented on a diff in the pull request:
https://github.com/apache/incubator-trafodion/pull/558#discussion_r68613826
--- Diff:
docs/provisioning_guide/src/asciidoc/_chapters/enable_security.adoc ---
@@ -26,25 +26,100 @@
[[enable-security]]
= Enable Security
-If you do not enable security in {project-name}, then a client interface
to {project-name} may request a user name and password,
-but {project-name} ignores the user name and password entered in the
client interface, and the session runs as the database *root* user,
-`DB__ROOT`, without restrictions. If you want to restrict users, restrict
access to certain users only, or restrict access to an
-object or operation, then you must enable security, which enforces
authentication and authorization. You can enable security
-during installation by answering the {project-name} Installer's prompts or
after installation by running the `traf_authentication_setup`
-script, which enables both authentication and authorization. For more
information, see
-<<enable-security-authentication-setup-script,Authentication Setup
Script>> below.
+{project-name} supports user authentication with LDAP, integrates in
Hadoop's Kerberos environment and
+supports authorization through database grant and revoke requests
(privileges).
+
+If this is an initial installation, both LDAP and Kerberos can be
configured by running {project-name} installer.
+If {project-name} is already installed, then both LDAP and Kerberos can be
configured by running {project-name}
+security installer.
+
+* If Hadoop has enabled Kerberos, then {project-name} must also enable
Kerberos.
+* If Kerberos is enabled, then LDAP must be enabled.
+* If LDAP is enabled, then database authorization (privilege support) is
automatically enabled.
+* If Kerberos is not enabled, then enabling LDAP is optional.
+
+[[enable-security-kerberos]]
+== Configuring {project-name} for Kerberos
+Kerberos is a protocol for authenticating a request for a service or
operation. It uses the notion of a ticket to verify accessibility.
+The ticket is proof of identity encrypted with a secret key for the
particular requested service. Tickets exist for a short time and
+then expire. Therefore, you can use the service as long as your ticket is
valid (i.e. not expired). Hadoop uses Kerberos to provide
+security for its services, as such {project-name} needs to function
properly with Hadoop that has Kerberos enabled.
--- End diff --
Perhaps, "needs to function properly with Hadoop instances that have
Kerberos enabled"?
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
