ACCUMULO-3452 Add user manual documentation on impersonation
Project: http://git-wip-us.apache.org/repos/asf/accumulo/repo Commit: http://git-wip-us.apache.org/repos/asf/accumulo/commit/ef6042fc Tree: http://git-wip-us.apache.org/repos/asf/accumulo/tree/ef6042fc Diff: http://git-wip-us.apache.org/repos/asf/accumulo/diff/ef6042fc Branch: refs/heads/master Commit: ef6042fc5ef55385d35688a029e854d08976c60e Parents: 98ced20 Author: Josh Elser <els...@apache.org> Authored: Wed Jan 21 18:36:11 2015 -0500 Committer: Josh Elser <els...@apache.org> Committed: Wed Jan 21 18:36:11 2015 -0500 ---------------------------------------------------------------------- docs/src/main/asciidoc/chapters/kerberos.txt | 36 +++++++++++++++++++++++ 1 file changed, 36 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/accumulo/blob/ef6042fc/docs/src/main/asciidoc/chapters/kerberos.txt ---------------------------------------------------------------------- diff --git a/docs/src/main/asciidoc/chapters/kerberos.txt b/docs/src/main/asciidoc/chapters/kerberos.txt index 3dcac6d..05d7384 100644 --- a/docs/src/main/asciidoc/chapters/kerberos.txt +++ b/docs/src/main/asciidoc/chapters/kerberos.txt @@ -184,6 +184,42 @@ something similar to the following in the application log. 2015-01-07 11:57:56,830 [security.UserGroupInformation] INFO : Login successful for user accumulo/hostn...@example.com using keytab file /etc/security/keytabs/accumulo.service.keytab ---- +===== Impersonation + +Impersonation is functionality which allows a certain user to act as another. One direct application +of this concept within Accumulo is the Thrift proxy. The Thrift proxy is configured to accept +user requests and pass them onto Accumulo, enabling client access to Accumulo via any thrift-compatible +language. When the proxy is running with SASL transports, this enforces that clients present a valid +Kerberos identity to make a connection. In this situation, the Thrift proxy server does not have +access to the secret key material in order to make a secure connection to Accumulo as the client, +it can only connect to Accumulo as itself. Impersonation, in this context, refers to the ability +of the proxy to authenticate to Accumulo as itself, but act on behalf of an Accumulo user. + +Accumulo supports basic impersonation of end-users by a third party via static rules in Accumulo's +site configuration file. + +---- +<property> + <name>instance.rpc.sasl.impersonation.$PROXY_USER.users</name> + <value>*</value> +</property> + +<property> + <name>instance.rpc.sasl.impersonation.$PROXY_USER.hosts</name> + <value>*</value> +</property> +---- + +The value +$PROXY_USER+ is the Kerberos principal of the server which is acting on behalf of a user. +Impersonation is enforced by the Kerberos principal and the host from which the RPC originated. Both +of the above properties expects values which are comma-separated lists. The value of each user in the +list should be the complete Kerberos principal of the user which the give +$PROXY_USER+ can impersonate, +and each value of the hosts list should be the FQDN of the machine which the +$PROXY_USER+ can submit +requests from. + +Both the hosts and users configuration properties also accept a value of +*+ to denote that any user or host +is acceptable for +$PROXY_USER+. + ==== Clients ===== Create client principal
