Github user dyozie commented on a diff in the pull request:
https://github.com/apache/incubator-hawq-docs/pull/132#discussion_r147239062
--- Diff: markdown/clientaccess/kerberos-userauth.html.md.erb ---
@@ -0,0 +1,459 @@
+---
+title: Configuring Kerberos User Authentication for HAWQ
+---
+
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+
+When Kerberos authentication is enabled at the user level, HAWQ uses the
Generic Security Service Application Program Interface \(GSSAPI\) to provide
automatic authentication \(single sign-on\). When HAWQ uses Kerberos user
authentication, HAWQ itself and the HAWQ users \(roles\) that require Kerberos
authentication require a principal and keytab. When a user attempts to log in
to HAWQ, HAWQ uses its Kerberos principal to connect to the Kerberos server,
and presents the user's principal for Kerberos validation. If the user
principal is valid, login succeeds and the user can access HAWQ. Conversely,
the login fails and HAWQ denies access to the user if the principal is not
valid.
+
+When HAWQ utilizes Kerberos for user authentication, it uses a standard
principal to connect to the Kerberos KDC. The format of this principal is
`postgres/<FQDN_of_master>@<realm>`, where \<FQDN\_of\_master\> refers to the
fully qualified distinguish name of the HAWQ master node.
+
+(You may choose to configure HAWQ user principals before you enable
Kerberos user authentication for HAWQ. See [Configuring Kerberos-Authenticated
HAWQ Users](#hawq_kerb_user_cfg).)
+
+The procedure to configure Kerberos user authentication for HAWQ includes:
+
+If you use an MIT Kerberos KDC Server:
+**Step 1a**: [Configuring the HAWQ Principals using an MIT KDC
Server](#hawq_kerb_cfg_mitkdc)
+
+If you use an Active Directory Kerberos KDC Server:
+**Step 1b**: [Configuring the HAWQ Principal using an AD KDC
Server](#hawq_kerb_cfg_adkdc)
+
+**Step 2**: [Configuring HAWQ to use Kerberos
Authentication](#hawq_kerb_cfg)
+**Step 3**: [Configuring Kerberos-Authenticated HAWQ
Users](#hawq_kerb_user_cfg)
+**Step 4**: [Authenticating User Access to HAWQ](#hawq_kerb_dbaccess)
+
+## <a id="hawq_kerb_cfg_mitkdc"></a>Step 1a: Configuring the HAWQ
Principals using an MIT KDC Server
+
+Perform the following procedure to configure HAWQ Kerberos and `gpadmin`
principals when you are using an MIT KDC server.
+
+**Note**: Some operations may differ based on whether or not you have
configured secure HDFS. These operations are called out below.
+
+1. Log in to the Kerberos KDC server system:
+
+ ``` shell
+ $ ssh root@<kdc-server>
+ root@kdc-server$
+ ```
+
+2. Create a keytab entry for the HAWQ `postgres/<master>` principal using
the `kadmin.local` command. Substitute the HAWQ master node fully qualified
distinguished hostname and your Kerberos realm. For example:
--- End diff --
"Create a keytab entry for the HAWQ **server**"
---
