[
https://issues.apache.org/jira/browse/FLUME-2631?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14347394#comment-14347394
]
Johny Rufus commented on FLUME-2631:
------------------------------------
Since the client api will be exposed via flume-ng-auth, we need more detailed
specifics as to what should be exposed.
Based on some internal discussions with Hari, Ryan we came up with the
following structure for the client api.
Only Exposed public Class + Api
-------------------------------------
Authenticator.get() - static
Authenticator getExecutor(), getExecutorAs() - instance methods
Executor executePrivileged (action + exception action) - instance methods
Authenticator:
-------------------
static method:
1. Authenticator.get(principal, keytab) : Authenticator
Returns either of the two singletons SimpleAuthenticator or
KerberosAuthenticator based on inputs
Instance methods:
2. getExecutor() : Executor
returns SimpleExecutor or UgiExecutor , based on which Authenticator it was
called on
getExecutorAs(proxyUserName) : Executor
returns UgiExecutor
Executor
------------
executePriviliged (one for action , one for exceptionaction)
Class Hierarchy:
----------------------
Authenticator (Exposed abstract base class)
SimpleAuthenticator extends Authenticator (private)
KerberosAuthenticator extends Authenticator (private)
Executor(Exposed i/f)
SimpleExecutor extends Executor (private)
UgiExecutor extends Executor (private)
> End to End authentication in Flume
> -----------------------------------
>
> Key: FLUME-2631
> URL: https://issues.apache.org/jira/browse/FLUME-2631
> Project: Flume
> Issue Type: New Feature
> Components: Sinks+Sources
> Reporter: Johny Rufus
> Assignee: Johny Rufus
> Fix For: v1.6.0
>
> Attachments: FLUME-2631-1.patch, FLUME-2631.patch
>
>
> 1. The idea is to enable authentication primarily by using
> SASL/GSSAPI/Kerberos with Thrift RPC. [Thrift already has support for SASL
> api that supports kerberos, so implementing right now for Thrift. For Avro
> RPC kerberos support, Avro needs to support SASL first for its Netty Server,
> before we can use it in flume]
> 2. Authentication will happen hop to hop[Client to source, intermediate
> sources to sinks, final sink to destination].
> 3. As per the initial model, the user principals won’t be carried forward.
> The flume client[ThriftRpcClient] will authenticate itself to the KDC. All
> the intermediate agents [Thrift Sources/Sinks] will authenticate as principal
> ‘flume’ (typically, but this can be any valid principal that KDC can
> autenticate) to each other and the final agent will authenticate to the
> destination as the principal it wishes to identify to the destination
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
