This is an automated email from the ASF dual-hosted git repository.
granthenke pushed a commit to branch branch-1.10.x
in repository https://gitbox.apache.org/repos/asf/kudu.git
The following commit(s) were added to refs/heads/branch-1.10.x by this push:
new 896c30c docs: adjust ordering of security docs
896c30c is described below
commit 896c30c91dd97beae9d77218c4f401718bc360ab
Author: Andrew Wong <[email protected]>
AuthorDate: Wed Jun 26 11:38:12 2019 -0700
docs: adjust ordering of security docs
The "Scalability" section discusses the scalability of Kudu's
authentication story, so I put it in the "Authentication" section.
Coarse-grained authorization also seems to follow authentication
naturally, so I moved the "Coarse-Grained Authorization" section up to
be right after the "Authentication" section.
Change-Id: I98d7b9c42de663e6613ab48d9201bfabe217d7e9
Reviewed-on: http://gerrit.cloudera.org:8080/13758
Tested-by: Kudu Jenkins
Reviewed-by: Hao Hao <[email protected]>
Reviewed-by: Grant Henke <[email protected]>
(cherry picked from commit 5c652defff422f908dacc11011dc6ae59bf49be5)
Reviewed-on: http://gerrit.cloudera.org:8080/13766
Reviewed-by: Alexey Serbin <[email protected]>
---
docs/security.adoc | 38 +++++++++++++++++++-------------------
1 file changed, 19 insertions(+), 19 deletions(-)
diff --git a/docs/security.adoc b/docs/security.adoc
index dcb82d6..18d2d7a 100644
--- a/docs/security.adoc
+++ b/docs/security.adoc
@@ -112,7 +112,7 @@ $ kinit [email protected]
Once authenticated, you use the same client code to read from and write to Kudu
servers with and without Kerberos configuration.
-== Scalability
+=== Scalability
Kudu authentication is designed to scale to thousands of nodes, which requires
avoiding unnecessary coordination with a central authentication authority (such
@@ -121,24 +121,6 @@ establish initial trust with the Kudu master, and then use
alternate credentials
for subsequent connections. In particular, the master will issue internal
X.509 certificates to servers, and temporary authentication tokens to clients.
-== Encryption
-
-Kudu allows all communications among servers and between clients and servers
-to be encrypted with TLS.
-
-Encryption can be configured on Kudu servers using the `--rpc_encryption` flag,
-which can be set to `required`, `optional`, or `disabled`. By default, the flag
-is set to `optional`. When `required`, Kudu will reject unencrypted
connections.
-When `optional`, Kudu will attempt to use encryption. Same as authentication,
-when `disabled` or encryption fails for `optional`, Kudu will only allow
-unencrypted connections from trusted subnets and reject any unencrypted
connections
-from publicly routable IPs. To secure a cluster, use
`--rpc_encryption=required`.
-
-NOTE: Kudu will automatically turn off encryption on local loopback
connections,
-since traffic from these connections is never exposed externally. This allows
-locality-aware compute frameworks like Spark and Impala to avoid encryption
-overhead, while still ensuring data confidentiality.
-
== Coarse-Grained Authorization
Kudu supports coarse-grained authorization of client requests based on the
@@ -169,6 +151,24 @@ to only those users who are able to successfully
authenticate via Kerberos.
Unauthenticated users on the same network as the Kudu servers will be unable
to access the cluster.
+== Encryption
+
+Kudu allows all communications among servers and between clients and servers
+to be encrypted with TLS.
+
+Encryption can be configured on Kudu servers using the `--rpc_encryption` flag,
+which can be set to `required`, `optional`, or `disabled`. By default, the flag
+is set to `optional`. When `required`, Kudu will reject unencrypted
connections.
+When `optional`, Kudu will attempt to use encryption. Same as authentication,
+when `disabled` or encryption fails for `optional`, Kudu will only allow
+unencrypted connections from trusted subnets and reject any unencrypted
connections
+from publicly routable IPs. To secure a cluster, use
`--rpc_encryption=required`.
+
+NOTE: Kudu will automatically turn off encryption on local loopback
connections,
+since traffic from these connections is never exposed externally. This allows
+locality-aware compute frameworks like Spark and Impala to avoid encryption
+overhead, while still ensuring data confidentiality.
+
[[web-ui]]
== Web UI Encryption
