[GitHub] incubator-hawq-docs pull request #132: add support for active directory KDC ...

[dyozie]

Github user dyozie commented on a diff in the pull request:

    https://github.com/apache/incubator-hawq-docs/pull/132#discussion_r147238218
  
    --- Diff: markdown/clientaccess/kerberos-userauth.html.md.erb ---
    @@ -0,0 +1,459 @@
    +---
    +title: Configuring Kerberos User Authentication for HAWQ
    +---
    +
    +<!--
    +Licensed to the Apache Software Foundation (ASF) under one
    +or more contributor license agreements.  See the NOTICE file
    +distributed with this work for additional information
    +regarding copyright ownership.  The ASF licenses this file
    +to you under the Apache License, Version 2.0 (the
    +"License"); you may not use this file except in compliance
    +with the License.  You may obtain a copy of the License at
    +
    +  http://www.apache.org/licenses/LICENSE-2.0
    +
    +Unless required by applicable law or agreed to in writing,
    +software distributed under the License is distributed on an
    +"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
    +KIND, either express or implied.  See the License for the
    +specific language governing permissions and limitations
    +under the License.
    +-->
    +
    +When Kerberos authentication is enabled at the user level, HAWQ uses the 
Generic Security Service Application Program Interface \(GSSAPI\) to provide 
automatic authentication \(single sign-on\). When HAWQ uses Kerberos user 
authentication, HAWQ itself and the HAWQ users \(roles\) that require Kerberos 
authentication require a principal and keytab. When a user attempts to log in 
to HAWQ, HAWQ uses its Kerberos principal to connect to the Kerberos server, 
and presents the user's principal for Kerberos validation. If the user 
principal is valid, login succeeds and the user can access HAWQ. Conversely, 
the login fails and HAWQ denies access to the user if the principal is not 
valid.
    --- End diff --
    
    I realize this text has been around for a while, but it seems like maybe we 
could standardize the terminology a bit here.  I was thinking something like 
this might be clearer:  "When HAWQ uses Kerberos user authentication, both the 
HAWQ server and those HAWQ users \(roles\) that use Kerberos authentication 
require a principal and a keytab. When a user attempts to log in to HAWQ, the 
HAWQ server uses its Kerberos principal to connect to the Kerberos server, and 
presents the user's principal for Kerberos validation. If the user's principal 
is valid, then login succeeds and the user can access HAWQ."
    
    Continuation of edit in the next comment.


---