ACCUMULO-2815 Support for Kerberos client authentication.
Leverage SASL transport provided by Thrift which can speak GSSAPI,
which Kerberos implements. Introduced...
* An Accumulo KerberosToken which is an AuthenticationToken to
validate users.
* Custom thrift processor and invocation handler to ensure server
RPCs have a valid KRB identity and Accumulo authentication.
* Authenticator, Authorizor and PermissionHandler for kerberos
* New ClientConf variables to use SASL transport and pass KRB
server primary (from principal)
* Updated ClientOpts and Shell opts to transparently use a
KerberosToken when SASL is enabled (no extra client work).
* Ensure existing unit tests still function.
* Throw ThriftSecurityExceptions on bad authentication to ensure
proper client action is taken.
* Fall back to krb principal before local OS user
* Initialize accepts a "root" user and defaults to not prompting
for a password to that user acct w/ SASL enabled.
* Use properties specific to server primary and realm for
clients to connect to servers (required for SASL handshake).
* Basic KerberosIT testing basic functionality (MiniKdc)
* Introduction of useKrbForIT option to run AccumuloClusterITs
with Kerberos (not 100% coverage) (MiniKdc)
* Ensure system user doesn't get a "real" user acct.
* Ensure that start-all.sh and stop-all.sh don't require krb creds
* Add user manual documentation
* Use the full krb principal as the accumulo principal
1 file changed
