[jira] [Commented] (ACCUMULO-1024) Deprecate built-in user management utilities

[David Medinets (JIRA)]

    [ 
https://issues.apache.org/jira/browse/ACCUMULO-1024?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13587746#comment-13587746
 ] 

David Medinets commented on ACCUMULO-1024:
------------------------------------------

I should have referenced Tomcat a long time ago in this discussion of user 
management, but I just recently thought of it. I'd probably way too late to 
consider it. My understanding of Tomcat security is rudimentary. By default, 
there is a tomcat-users.xml file:

<tomcat-users>
  <user name="tomcat" password="tomcat" roles="tomcat" />
  <user name="role1"  password="tomcat" roles="role1"  />
  <user name="both"   password="tomcat" roles="tomcat,role1" />
</tomcat-users>

People can manually add users and need to manually add an admin role and user 
otherwise the management web application is disabled. 

For more flexibility, Tomcat can be configured to read users from a database, 
from LDAP, and probably a lot more. Since I don't know much more, I'll stop 
with that brief synopsis.
                
> Deprecate built-in user management utilities
> --------------------------------------------
>
>                 Key: ACCUMULO-1024
>                 URL: https://issues.apache.org/jira/browse/ACCUMULO-1024
>             Project: Accumulo
>          Issue Type: Sub-task
>          Components: master, tserver
>            Reporter: Christopher Tubbs
>            Assignee: Christopher Tubbs
>             Fix For: 1.5.0
>
>
> The built-in user management functionality should be phased out, in favor of 
> the pluggable authentication model. Any user-management functions that apply 
> to a particular implementation of an authentication should be handled within 
> that implementation, and not within Accumulo's core.
> This should reduce the complexity of the overall user model.
> A transition plan should be established for the prior ZKAuthenticator 
> implementation for usernames and passwords. The former APIs for user 
> management should continue to work as is, and pass through to the former 
> implementation, but any new APIs for user management should not be introduced 
> to the core (like in SecurityOperations, the shell, and 'accumulo init'), 
> because that introduces complexity and essentially establishes a guarantee 
> that Accumulo will handle user management for arbitrary authentication 
> systems... which I don't think we can do generically.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira