[4/4] accumulo git commit: ACCUMULO-3452 Add user manual documentation on impersonation

[el...@apache.org]

ACCUMULO-3452 Add user manual documentation on impersonation


Project: http://git-wip-us.apache.org/repos/asf/accumulo/repo
Commit: http://git-wip-us.apache.org/repos/asf/accumulo/commit/ef6042fc
Tree: http://git-wip-us.apache.org/repos/asf/accumulo/tree/ef6042fc
Diff: http://git-wip-us.apache.org/repos/asf/accumulo/diff/ef6042fc

Branch: refs/heads/master
Commit: ef6042fc5ef55385d35688a029e854d08976c60e
Parents: 98ced20
Author: Josh Elser <el...@apache.org>
Authored: Wed Jan 21 18:36:11 2015 -0500
Committer: Josh Elser <el...@apache.org>
Committed: Wed Jan 21 18:36:11 2015 -0500

----------------------------------------------------------------------
 docs/src/main/asciidoc/chapters/kerberos.txt | 36 +++++++++++++++++++++++
 1 file changed, 36 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/accumulo/blob/ef6042fc/docs/src/main/asciidoc/chapters/kerberos.txt
----------------------------------------------------------------------
diff --git a/docs/src/main/asciidoc/chapters/kerberos.txt b/docs/src/main/asciidoc/chapters/kerberos.txt
index 3dcac6d..05d7384 100644
--- a/docs/src/main/asciidoc/chapters/kerberos.txt
+++ b/docs/src/main/asciidoc/chapters/kerberos.txt
@@ -184,6 +184,42 @@ something similar to the following in the application log.
 2015-01-07 11:57:56,830 [security.UserGroupInformation] INFO : Login successful for user accumulo/hostname@EXAMPLE.COM using keytab file /etc/security/keytabs/accumulo.service.keytab
 ----
 
+===== Impersonation
+
+Impersonation is functionality which allows a certain user to act as another. One direct application
+of this concept within Accumulo is the Thrift proxy. The Thrift proxy is configured to accept
+user requests and pass them onto Accumulo, enabling client access to Accumulo via any thrift-compatible
+language. When the proxy is running with SASL transports, this enforces that clients present a valid
+Kerberos identity to make a connection. In this situation, the Thrift proxy server does not have
+access to the secret key material in order to make a secure connection to Accumulo as the client,
+it can only connect to Accumulo as itself. Impersonation, in this context, refers to the ability
+of the proxy to authenticate to Accumulo as itself, but act on behalf of an Accumulo user.
+
+Accumulo supports basic impersonation of end-users by a third party via static rules in Accumulo's
+site configuration file.
+
+----
+<property>
+  <name>instance.rpc.sasl.impersonation.$PROXY_USER.users</name>
+  <value>*</value>
+</property>
+
+<property>
+  <name>instance.rpc.sasl.impersonation.$PROXY_USER.hosts</name>
+  <value>*</value>
+</property>
+----
+
+The value +$PROXY_USER+ is the Kerberos principal of the server which is acting on behalf of a user.
+Impersonation is enforced by the Kerberos principal and the host from which the RPC originated. Both
+of the above properties expects values which are comma-separated lists. The value of each user in the
+list should be the complete Kerberos principal of the user which the give +$PROXY_USER+ can impersonate,
+and each value of the hosts list should be the FQDN of the machine which the +$PROXY_USER+ can submit
+requests from.
+
+Both the hosts and users configuration properties also accept a value of +*+ to denote that any user or host
+is acceptable for +$PROXY_USER+.
+
 ==== Clients
 
 ===== Create client principal