You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@accumulo.apache.org by el...@apache.org on 2015/05/19 00:00:33 UTC
svn commit: r1680113 - /accumulo/site/trunk/content/1.7/accumulo_user_manual.html

Author: elserj
Date: Mon May 18 22:00:32 2015
New Revision: 1680113

URL: http://svn.apache.org/r1680113
Log:
ACCUMULO-3737 Some addt'l user manual improvements

Modified:
    accumulo/site/trunk/content/1.7/accumulo_user_manual.html

Modified: accumulo/site/trunk/content/1.7/accumulo_user_manual.html
URL: http://svn.apache.org/viewvc/accumulo/site/trunk/content/1.7/accumulo_user_manual.html?rev=1680113&r1=1680112&r2=1680113&view=diff
==============================================================================
--- accumulo/site/trunk/content/1.7/accumulo_user_manual.html (original)
+++ accumulo/site/trunk/content/1.7/accumulo_user_manual.html Mon May 18 22:00:32 2015
@@ -5488,128 +5488,88 @@ all Accumulo servers must share the same
 <p>A number of properties need to be changed to account to properly configure servers
 in <code>accumulo-site.xml</code>.</p>
 </div>
-<div class="ulist">
-<ul>
-<li>
-<p><strong>general.kerberos.keytab</strong>=<em>/etc/security/keytabs/accumulo.service.keytab</em></p>
-<div class="ulist">
-<ul>
-<li>
-<p>The path to the keytab for Accumulo on local filesystem.</p>
-</li>
-<li>
-<p>Change the value to the actual path on your system.</p>
-</li>
-</ul>
-</div>
-</li>
-<li>
-<p><strong>general.kerberos.principal</strong>=<em>accumulo/_HOST@REALM</em></p>
-<div class="ulist">
-<ul>
-<li>
-<p>The Kerberos principal for Accumulo, needs to match the keytab.</p>
-</li>
-<li>
-<p>"_HOST" can be used instead of the actual hostname in the principal and will be
-automatically expanded to the current FQDN which reduces the configuration file burden.</p>
-</li>
-</ul>
-</div>
-</li>
-<li>
-<p><strong>instance.rpc.sasl.enabled</strong>=<em>true</em></p>
-<div class="ulist">
-<ul>
-<li>
-<p>Enables SASL for the Thrift Servers (supports GSSAPI)</p>
-</li>
-</ul>
-</div>
-</li>
-<li>
-<p><strong>instance.security.authenticator</strong>=<em>org.apache.accumulo.server.security.handler.KerberosAuthenticator</em></p>
-<div class="ulist">
-<ul>
-<li>
-<p>Configures Accumulo to use the Kerberos principal as the Accumulo username/principal</p>
-</li>
-</ul>
-</div>
-</li>
-<li>
-<p><strong>instance.security.authorizor</strong>=<em>org.apache.accumulo.server.security.handler.KerberosAuthorizor</em></p>
-<div class="ulist">
-<ul>
-<li>
-<p>Configures Accumulo to use the Kerberos principal for authorization purposes</p>
-</li>
-</ul>
-</div>
-</li>
-<li>
-<p><strong>instance.security.permissionHandler</strong>=<em>org.apache.accumulo.server.security.handler.KerberosPermissionHandler</em></p>
-<div class="ulist">
-<ul>
-<li>
-<p>Configures Accumulo to use the Kerberos principal for permission purposes</p>
-</li>
-</ul>
-</div>
-</li>
-<li>
-<p><strong>trace.token.type</strong>=<em>org.apache.accumulo.core.client.security.tokens.KerberosToken</em></p>
-<div class="ulist">
-<ul>
-<li>
-<p>Configures the Accumulo Tracer to use the KerberosToken for authentication when
-serializing traces to the trace table.</p>
-</li>
-</ul>
-</div>
-</li>
-<li>
-<p><strong>trace.user</strong>=<em>accumulo/_HOST@REALM</em></p>
-<div class="ulist">
-<ul>
-<li>
-<p>The tracer process needs valid credentials to serialize traces to Accumulo.</p>
-</li>
-<li>
-<p>While the other server processes are creating a SystemToken from the provided keytab and principal, we can
-still use a normal KerberosToken and the same keytab/principal to serialize traces. Like
-non-Kerberized instances, the table must be created and permissions granted to the trace.user.</p>
-</li>
-<li>
-<p>The same <code>_HOST</code> replacement is performed on this value, substituted the FQDN for <code>_HOST</code>.</p>
-</li>
-</ul>
-</div>
-</li>
-<li>
-<p><strong>general.delegation.token.lifetime</strong>=<em>7d</em></p>
-<div class="ulist">
-<ul>
-<li>
-<p>The length of time that the server-side secret used to create delegation tokens is valid.
-After a server-side secret expires, a delegation token created with that secret is no longer valid.</p>
-</li>
-</ul>
-</div>
-</li>
-<li>
-<p><strong>general.delegation.token.update.interval</strong>=<em>1d</em></p>
-<div class="ulist">
-<ul>
-<li>
-<p>The frequency in which new server-side secrets should be generated to create delegation
-tokens for clients. Generating new secrets reduces the likelihood of cryptographic attacks.</p>
-</li>
-</ul>
-</div>
-</li>
-</ul>
-</div>
+<table class="tableblock frame-all grid-all spread">
+<colgroup>
+<col style="width: 33%;">
+<col style="width: 33%;">
+<col style="width: 33%;">
+</colgroup>
+<thead>
+<tr>
+<th class="tableblock halign-left valign-top">Key</th>
+<th class="tableblock halign-left valign-top">Default Value</th>
+<th class="tableblock halign-left valign-top">Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock">general.kerberos.keytab</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">/etc/security/keytabs/accumulo.service.keytab</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">The path to the keytab for Accumulo on local filesystem. Change the value to the actual path on your system.</p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock">general.kerberos.principal</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">accumulo/_HOST@REALM</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">The Kerberos principal for Accumulo, needs to match the keytab. "_HOST" can be used instead of the actual hostname in the principal and will be automatically expanded to the current FQDN which reduces the configuration file burden.</p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock">instance.rpc.sasl.enabled</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">true</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Enables SASL for the Thrift Servers (supports GSSAPI)</p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock">rpc.sasl.qop</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">auth</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">One of "auth", "auth-int", or "auth-conf". These map to the SASL defined properties for
+quality of protection. "auth" is authentication only. "auth-int" is authentication and data
+integrity. "auth-conf" is authentication, data integrity and confidentiality.</p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock">instance.security.authenticator</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">org.apache.accumulo.server.security.
+handler.KerberosAuthenticator</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Configures Accumulo to use the Kerberos principal as the Accumulo username/principal</p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock">instance.security.authorizor</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">org.apache.accumulo.server.security.
+handler.KerberosAuthorizor</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Configures Accumulo to use the Kerberos principal for authorization purposes</p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock">instance.security.permissionHandler</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">org.apache.accumulo.server.security.
+handler.KerberosPermissionHandler</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Configures Accumulo to use the Kerberos principal for permission purposes</p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock">trace.token.type</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">org.apache.accumulo.core.client.
+security.tokens.KerberosToken</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Configures the Accumulo Tracer to use the KerberosToken for authentication when serializing traces to the trace table.</p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock">trace.user</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">accumulo/_HOST@REALM</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">The tracer process needs valid credentials to serialize traces to Accumulo. While the other server processes are
+creating a SystemToken from the provided keytab and principal, we can still use a normal KerberosToken and the same
+keytab/principal to serialize traces. Like non-Kerberized instances, the table must be created and permissions granted
+to the trace.user. The same <code>_HOST</code> replacement is performed on this value, substituted the FQDN for <code>_HOST</code>.</p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock">general.delegation.token.lifetime</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">7d</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">The length of time that the server-side secret used to create delegation tokens is valid. After a server-side secret
+expires, a delegation token created with that secret is no longer valid.</p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock">general.delegation.token.update.interval</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">1d</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">The frequency in which new server-side secrets should be generated to create delegation tokens for clients. Generating
+new secrets reduces the likelihood of cryptographic attacks.</p></td>
+</tr>
+</tbody>
+</table>
 <div class="paragraph">
 <p>Although it should be a prerequisite, it is ever important that you have DNS properly
 configured for your nodes and that Accumulo is configured to use the FQDN. It
@@ -7157,7 +7117,7 @@ modes that are more common when running
 <div class="sect3">
 <h4 id="_known_failure_modes_setup_and_troubleshooting">16.15.1. Known failure modes: Setup and Troubleshooting</h4>
 <div class="paragraph">
-<p>In addition to the general failure modes of running Sqrrl, VMs can introduce a
+<p>In addition to the general failure modes of running Accumulo, VMs can introduce a
 couple of environmental challenges that can affect process stability. Clock
 drift is something that is more common in VMs, especially when VMs are
 suspended and resumed. Clock drift can cause Accumulo servers to assume that
@@ -10916,7 +10876,7 @@ An example is <em>java.lang.String</em>,
 </div>
 <div id="footer">
 <div id="footer-text">
-Last updated 2015-05-12 14:49:53 EDT
+Last updated 2015-05-18 17:01:54 EDT
 </div>
 </div>
 </body>