Interesting thoughts around whether we need to include the identity
assertion provider in topology.xml files.
Couple observations:
1. the Pseudo name is no longer appropriate since it handles both
pseudo/simple as well as doAs for trusted proxy user impersonation to a
kerberos protected cluster
2. this means that as of today there is really only one assertion provider
needed for Hadoop services
3. theoretically, we can provide gated access to any service - in which
case the current assertion provider would probably not work and we would
need some other implementation of identity propagation to that service.
Questions:
1. Do we completely hide identity assertion providers from config?
2. Do we just change the name to Hadoop identity assertion provider?
3. Do we actually want to allow for gating access to other services?
- this would potentially open up some interesting possibilities for
mash ups and automation across hadoop and other services
4. Do we change the name to Hadoop and make it the default provider and
allow for overriding it in topology with others?
I personally lean towards #4 for simplicity and flexibility.
Incidentally, I believe that we need to break the principal mapping out
into a separate provider. We may need to consider a #4 pattern for that
provider as well.
Anyway - just some thoughts.
