trafodion-codereview mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From DaveBirdsall <...@git.apache.org>
Subject [GitHub] incubator-trafodion pull request #558: TRAFODION [2056] Update installation ...
Date Mon, 27 Jun 2016 16:56:08 GMT
Github user DaveBirdsall commented on a diff in the pull request:

    https://github.com/apache/incubator-trafodion/pull/558#discussion_r68613979
  
    --- Diff: docs/provisioning_guide/src/asciidoc/_chapters/enable_security.adoc ---
    @@ -26,25 +26,100 @@
     [[enable-security]]
     = Enable Security
     
    -If you do not enable security in {project-name}, then a client interface to {project-name}
may request a user name and password,
    -but {project-name} ignores the user name and password entered in the client interface,
and the session runs as the database *root* user,
    -`DB__ROOT`, without restrictions. If you want to restrict users, restrict access to certain
users only, or restrict access to an
    -object or operation, then you must enable security, which enforces authentication and
authorization. You can enable security
    -during installation by answering the {project-name} Installer's prompts or after installation
by running the `traf_authentication_setup`
    -script, which enables both authentication and authorization. For more information, see
    -<<enable-security-authentication-setup-script,Authentication Setup Script>>
below.
    +{project-name} supports user authentication with LDAP, integrates in Hadoop's Kerberos
environment and
    +supports authorization through database grant and revoke requests (privileges).
    +
    +If this is an initial installation, both LDAP and Kerberos can be configured by running
{project-name} installer.
    +If {project-name} is already installed, then both LDAP and Kerberos can be configured
by running {project-name} 
    +security installer. 
    +
    +* If Hadoop has enabled Kerberos, then {project-name} must also enable Kerberos.
    +* If Kerberos is enabled, then LDAP must be enabled.
    +* If LDAP is enabled, then database authorization (privilege support) is automatically
enabled.
    +* If Kerberos is not enabled, then enabling LDAP is optional.
    +
    +[[enable-security-kerberos]]
    +== Configuring {project-name} for Kerberos
    +Kerberos is a protocol for authenticating a request for a service or operation.  It uses
the notion of a ticket to verify accessibility.  
    +The ticket is proof of identity encrypted with a secret key for the particular requested
service.  Tickets exist for a short time and 
    +then expire. Therefore, you can use the service as long as your ticket is valid (i.e.
not expired).  Hadoop uses Kerberos to provide 
    +security for its services, as such {project-name} needs to function properly with Hadoop
that has Kerberos enabled.  
    +
    +=== Kerberos configuration file
    +It is assumed that Kerberos has already been setup on all the nodes by the time Trafodion
is installed. 
    +This section briefly discusses the Kerberos configuration file for reference.
    +
    +The Kerberos configuration file defaults to /etc/krb5.conf and contains, among other
attributes:
    +
    +```
    +* log location: location where Kerberos errors and other information is logged
    --- End diff --
    
    Grammar: should be "are logged"


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

Mime
View raw message