sqoop-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Abraham Elmahrek" <...@cloudera.com>
Subject Re: Review Request 28834: SQOOP-1755: Sqoop2: Security guide
Date Tue, 09 Dec 2014 16:16:40 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/28834/#review64377
-----------------------------------------------------------


A few comments! Good first shot!


docs/src/site/sphinx/KerberosOnSqoop2.rst
<https://reviews.apache.org/r/28834/#comment107041>

    Security Guide?



docs/src/site/sphinx/KerberosOnSqoop2.rst
<https://reviews.apache.org/r/28834/#comment107040>

    Maybe rephrase: Sqoop2 provides 2 types of authentication: simple and kerberos. The authentication
module is pluggable, so more authentication types can be added.
    
    Let's not put specific company names here?



docs/src/site/sphinx/KerberosOnSqoop2.rst
<https://reviews.apache.org/r/28834/#comment107063>

    Maybe move down to the "Kerberos Authentication" section? This guide seems to be describing
Simple Authentication, Kerberos Authentication, and even Custom Authentication.



docs/src/site/sphinx/KerberosOnSqoop2.rst
<https://reviews.apache.org/r/28834/#comment107066>

    The documentation should be somewhat referrential. So lets remove this?



docs/src/site/sphinx/KerberosOnSqoop2.rst
<https://reviews.apache.org/r/28834/#comment107042>

    Replace with a basic description of Simple Authentication?



docs/src/site/sphinx/KerberosOnSqoop2.rst
<https://reviews.apache.org/r/28834/#comment107070>

    Simple authentication is used by default. Commenting out authentication configuration
will yield the use of simple authentication.



docs/src/site/sphinx/KerberosOnSqoop2.rst
<https://reviews.apache.org/r/28834/#comment107044>

    "Dependency"?



docs/src/site/sphinx/KerberosOnSqoop2.rst
<https://reviews.apache.org/r/28834/#comment107045>

    It's difficult to cover every way kerberos can be setup (ie: there are cross realm setups
and multi-trust environments). The content in this section is a great example of one configuration.
Maybe phrase it as such? To be more explicit, maybe we can say that this section will describe
how to setup the sqoop principals with a local deployment of MIT kerberos.
    
    Also, there are different KDC providers out there: Microsoft ActiveDirectory provides
a KDC as well I believe.



docs/src/site/sphinx/KerberosOnSqoop2.rst
<https://reviews.apache.org/r/28834/#comment107048>

    "All components in the Hadoop ecosystem must be kerberized"?
    
    I believe non-kerberized data sources are still supported.



docs/src/site/sphinx/KerberosOnSqoop2.rst
<https://reviews.apache.org/r/28834/#comment107047>

    Good idea!



docs/src/site/sphinx/KerberosOnSqoop2.rst
<https://reviews.apache.org/r/28834/#comment107046>

    I'm not sure that tying Sqoop to CDH documentation in the code docs is a good idea. Let's
remove this line?



docs/src/site/sphinx/KerberosOnSqoop2.rst
<https://reviews.apache.org/r/28834/#comment107052>

    'kadmin.local' is for a local deployment of a KDC. Otherwise it would be 'kadmin'.



docs/src/site/sphinx/KerberosOnSqoop2.rst
<https://reviews.apache.org/r/28834/#comment107054>

    I beliee <FQDN> in the principal is actually an "instance" string. In hadoop world,
the "instance" string should be the FQDN because it's used by hadoop-auth to resolve service
locations.
    
    Given this, can we add a comment describing why FQDN is used in the "instance" string?



docs/src/site/sphinx/KerberosOnSqoop2.rst
<https://reviews.apache.org/r/28834/#comment107055>

    "export SQOOP2_HOST=$(hostname -f)" using shell expansion?



docs/src/site/sphinx/KerberosOnSqoop2.rst
<https://reviews.apache.org/r/28834/#comment107059>

    If the Sqoop server has started successfully with Kerberos authentication, the following
line will be in <@LOGDIR>/sqoop.log:



docs/src/site/sphinx/KerberosOnSqoop2.rst
<https://reviews.apache.org/r/28834/#comment107062>

    If the Sqoop client was able to communicate with the Sqoop server, the following will
be in <Sqoop Folder>/server/log/catalina.out:



docs/src/site/sphinx/KerberosOnSqoop2.rst
<https://reviews.apache.org/r/28834/#comment107071>

    Users can create their own authentication modules. By performing the following steps:



docs/src/site/sphinx/KerberosOnSqoop2.rst
<https://reviews.apache.org/r/28834/#comment107072>

    Perhaps a code example here? Something simple like an "always authenticated" handler?


- Abraham Elmahrek


On Dec. 9, 2014, 2:19 a.m., richard zhou wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/28834/
> -----------------------------------------------------------
> 
> (Updated Dec. 9, 2014, 2:19 a.m.)
> 
> 
> Review request for Sqoop.
> 
> 
> Repository: sqoop-sqoop2
> 
> 
> Description
> -------
> 
> Given Kerberos has been implemented and sqoop2 now provides SPNEGO, it would be nice
to have a security guide which explains the following:
> Features.
> High level design.
> Usage.
> 
> 
> Diffs
> -----
> 
>   docs/src/site/sphinx/KerberosOnSqoop2.rst PRE-CREATION 
> 
> Diff: https://reviews.apache.org/r/28834/diff/
> 
> 
> Testing
> -------
> 
> 
> Thanks,
> 
> richard zhou
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message