[jira] [Commented] (FLUME-2631) End to End authentication in Flume

Wed, 25 Feb 2015 12:54:33 -0800 

    [ 
https://issues.apache.org/jira/browse/FLUME-2631?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14337152#comment-14337152
 ] 

Hari Shreedharan commented on FLUME-2631:
-----------------------------------------

So here is one thought - we add a new module - flume-ng-secure-sdk (or 
something), which will have the secure thrift RPC client, which will extend 
from the normal thrift RPC client which will live in the flume-ng-sdk. This way 
we can keep the flume-ng-sdk from depending on hadoop, while the secure one 
will. This way, we can avoid users having to pull in hadoop if they don't care 
about security.

We'd still be adding hadoop as a dependency for the flume-ng-core package, but 
that is still OK, I think - since that is meant to operate in its own JVM 
anyway.

> End to End authentication in Flume 
> -----------------------------------
>
>                 Key: FLUME-2631
>                 URL: https://issues.apache.org/jira/browse/FLUME-2631
>             Project: Flume
>          Issue Type: New Feature
>          Components: Sinks+Sources
>            Reporter: Johny Rufus
>            Assignee: Johny Rufus
>             Fix For: v1.6.0
>
>         Attachments: FLUME-2631.patch
>
>
> 1. The idea is to enable authentication primarily by using 
> SASL/GSSAPI/Kerberos with Thrift RPC. [Thrift already has support for SASL 
> api that supports kerberos, so implementing right now for Thrift. For Avro 
> RPC kerberos support, Avro needs to support SASL first for its Netty Server, 
> before we can use it in flume]
> 2. Authentication will happen hop to hop[Client to source, intermediate 
> sources to sinks, final sink to destination]. 
> 3. As per the initial model, the user principals won’t be carried forward. 
> The flume client[ThriftRpcClient] will authenticate itself to the KDC. All 
> the intermediate agents [Thrift Sources/Sinks] will authenticate as principal 
> ‘flume’ (typically, but this can be any valid principal that KDC can 
> autenticate) to each other and the final agent will authenticate to the 
> destination as the principal it wishes to identify to the destination



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to