[
https://issues.apache.org/jira/browse/KNOX-457?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14186962#comment-14186962
]
Larry McCay commented on KNOX-457:
----------------------------------
I don't believe that this is a valid usecase.
A cluster that has gone to the trouble of securing the cluster with kerberos
and leaves it only partially secured is a broken deployment.
Any component that is not secured would be vulnerable to identity spoofing from
other components and submitted jobs. This would contradict the intent of
kerberizing the cluster. In fact, this would actually be an "insecure"
deployment as apposed to the usual secure and unsecured.
The current functionality actually provides value in protecting a broken
deployment by only allowing SPNEGO based authentication between the trusted
proxy and the service components. If that authentication fails then it has done
its job.
I would have to be convinced of a valid usecase for such a partially secured
(insecure) deployment.
Now, having it at the topology level makes sense - a gateway should be able to
support a secure cluster and a unsecured cluster.
> Enable or disable security at per service granularity
> -----------------------------------------------------
>
> Key: KNOX-457
> URL: https://issues.apache.org/jira/browse/KNOX-457
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
> Affects Versions: 0.4.0
> Reporter: Kevin Minder
> Assignee: Dilli Arumugam
> Fix For: 0.6.0
>
>
> Currently all services within a cluster are either in secure mode or not
> depending upon the setting in gateway-site.xml. In reality these services
> may be secure or not depending upon individual settings within the cluster.
> Therefore it should be possible to enable security for the cluster at large
> but potentially disable it for a individual services or vice versa disable
> security for the cluster but enable it for individual services.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
