[jira] [Commented] (FLUME-2631) End to End authentication in Flume

Wed, 04 Mar 2015 11:15:07 -0800 

    [ 
https://issues.apache.org/jira/browse/FLUME-2631?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14347398#comment-14347398
 ] 

Johny Rufus commented on FLUME-2631:
------------------------------------

Comments from Ryan : 

Authenticator.get() - static

 (This returns a "not authenticated" executor instance?)

Authenticator getExecutor(), getExecutorAs() - instance methods

(Why not make the authenticator implement PrivilegedExecutor so you don't need 
getExecutor()?)

Executor executePrivileged (action + exception action)  - instance methods

(Would it make sense to be a PrivilegedExecutor with an execute method? There 
is already a java.util.concurrent.Executor class, so the name should be 
different. You could even extend the concurrent one if you want.)

SimpleAuthenticator extends Authenticator (private)

(If you return only initialized PrivilegedExecutor objects, then you don't need 
this class. You can just return a the SimpleExecutor.)

> End to End authentication in Flume 
> -----------------------------------
>
>                 Key: FLUME-2631
>                 URL: https://issues.apache.org/jira/browse/FLUME-2631
>             Project: Flume
>          Issue Type: New Feature
>          Components: Sinks+Sources
>            Reporter: Johny Rufus
>            Assignee: Johny Rufus
>             Fix For: v1.6.0
>
>         Attachments: FLUME-2631-1.patch, FLUME-2631.patch
>
>
> 1. The idea is to enable authentication primarily by using 
> SASL/GSSAPI/Kerberos with Thrift RPC. [Thrift already has support for SASL 
> api that supports kerberos, so implementing right now for Thrift. For Avro 
> RPC kerberos support, Avro needs to support SASL first for its Netty Server, 
> before we can use it in flume]
> 2. Authentication will happen hop to hop[Client to source, intermediate 
> sources to sinks, final sink to destination]. 
> 3. As per the initial model, the user principals won’t be carried forward. 
> The flume client[ThriftRpcClient] will authenticate itself to the KDC. All 
> the intermediate agents [Thrift Sources/Sinks] will authenticate as principal 
> ‘flume’ (typically, but this can be any valid principal that KDC can 
> autenticate) to each other and the final agent will authenticate to the 
> destination as the principal it wishes to identify to the destination



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to