[
https://issues.apache.org/jira/browse/ACCUMULO-996?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13566872#comment-13566872
]
John Vines commented on ACCUMULO-996:
-------------------------------------
The current API, as well as the proposed simplification, would support
username/pass authentication against LDAP or zookeeper, as well as using
LDAP/zookeeper for authorization and permission handling. Kerberos is a bit
tricky, but it can be used in this structure as well, though it's still
vulnerable to replay (but not as loose as blasting username+password in the
clear across the wire). PKI can vary, as my understanding is that there's a
variety of implementations of it, some of which have a challenge/response built
into the client server communications. That would NOT be supported. But any
system which involves challenge response with another server to gain the token
(like kerberos) should be functional so long as you can get away from any
machine specific bindings in the protocol (kerberos has something like this,
but it's possible to work around if we're only using it for authentication).
Having a connection factory is an interesting aspect, but it's something that
will be necessitated by additional research into some of the various pki
implementations.
> explore exposing accumulo token in proxy
> ----------------------------------------
>
> Key: ACCUMULO-996
> URL: https://issues.apache.org/jira/browse/ACCUMULO-996
> Project: Accumulo
> Issue Type: Sub-task
> Components: proxy
> Reporter: Keith Turner
> Assignee: Eric Newton
> Fix For: 1.5.0
>
>
> with the new security related changes for 1.5, do the new authentication
> mechanism need to be exposed in the proxy?
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
