ACCUMULO-3607 Add section about `accumulo init` with kerberos
Project: http://git-wip-us.apache.org/repos/asf/accumulo/repo Commit: http://git-wip-us.apache.org/repos/asf/accumulo/commit/95b9f00a Tree: http://git-wip-us.apache.org/repos/asf/accumulo/tree/95b9f00a Diff: http://git-wip-us.apache.org/repos/asf/accumulo/diff/95b9f00a Branch: refs/heads/master Commit: 95b9f00a8facc7778840febf4b44fde404f688fa Parents: 97832e9 Author: Josh Elser <[email protected]> Authored: Mon Feb 23 12:24:41 2015 -0500 Committer: Josh Elser <[email protected]> Committed: Mon Feb 23 12:24:41 2015 -0500 ---------------------------------------------------------------------- docs/src/main/asciidoc/chapters/kerberos.txt | 13 +++++++++++++ 1 file changed, 13 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/accumulo/blob/95b9f00a/docs/src/main/asciidoc/chapters/kerberos.txt ---------------------------------------------------------------------- diff --git a/docs/src/main/asciidoc/chapters/kerberos.txt b/docs/src/main/asciidoc/chapters/kerberos.txt index ef7a7f5..95fd5f6 100644 --- a/docs/src/main/asciidoc/chapters/kerberos.txt +++ b/docs/src/main/asciidoc/chapters/kerberos.txt @@ -210,6 +210,19 @@ The KDC is still the authoritative entity for user management. The previously me are provided as they simplify management of users within Accumulo, especially with respect to granting Authorizations and Permissions to new users. +===== Accumulo Initialization + +Out of the box (without Kerberos enabled), Accumulo has a single user with administrative permissions "root". +This users is used to "bootstrap" other users, creating less-privileged users for applications using +the system. In Kerberos, to authenticate with the system, it's required that the client presents Kerberos +credentials for the principal (user) the client is trying to authenticate as. + +Because of this, an administrative user named "root" would be useless in an instance using Kerberos, +because it is very unlikely to have Kerberos credentials for a principal named `root`. When Kerberos is +enabled, Accumulo will prompt for the name of a user to grant the same permissions as what the `root` +user would normally have. The name of the Accumulo user to grant administrative permissions to can +also be given by the `-u` or `--user` options. + ===== Verifying secure access To verify that servers have correctly started with Kerberos enabled, ensure that the processes
