svn commit: r1607095 - /incubator/slider/site/trunk/content/docs/security.md

[st...@apache.org]

Author: stevel
Date: Tue Jul  1 14:25:30 2014
New Revision: 1607095

URL: http://svn.apache.org/r1607095
Log:
SLIDER-192: use hadoop.security.authentication type as indicate whether to use security or not.

Modified:
    incubator/slider/site/trunk/content/docs/security.md

Modified: incubator/slider/site/trunk/content/docs/security.md
URL: http://svn.apache.org/viewvc/incubator/slider/site/trunk/content/docs/security.md?rev=1607095&r1=1607094&r2=1607095&view=diff
==============================================================================
--- incubator/slider/site/trunk/content/docs/security.md (original)
+++ incubator/slider/site/trunk/content/docs/security.md Tue Jul  1 14:25:30 2014
@@ -24,7 +24,7 @@ to deploy secure applications on a secur
  
 This document does not cover Kerberos, how to secure a Hadoop cluster, Kerberos
 command line tools or how Hadoop uses delegation tokens to delegate permissions
-round a cluster. These are assumed, though some links to useful pages are
+round a cluster. These are prerequisites &em;though some links to useful pages are
 listed at the bottom. 
 
 
@@ -72,20 +72,21 @@ Slider runs in secure clusters, but with
 *  Slider application instance and HBase instance to remain functional and secure over an indefinite period of time.
 
 ### Initial Non-requirements
-*  secure audit trail of cluster operations.
-*  multiple authorized users being granted rights to a Slider Cluster (YARN admins can always kill the Slider application instance.
-*  More than one HBase cluster in the YARN cluster belonging to a single user (irrespective of how they are started).
+*  Secure audit trail of cluster operations.
+*  Multiple authorized users being granted rights to a Slider Cluster (YARN admins can always kill the Slider application instance.
 *  Any way to revoke certificates/rights of running containers.
 
 ### Assumptions
 *  Kerberos is running and that HDFS and YARN are running Kerberized.
 *  LDAP cannot be assumed. 
-*  Credentials needed for HBase can be pushed out into the local filesystems of 
+*  Credentials needed for the application can be pushed out into the local filesystems of 
   the of the worker nodes via some external mechanism (e.g. scp), and protected by
   the access permissions of the native filesystem. Any user with access to these
   credentials is considered to have been granted such rights.
-*  These credentials can  outlive the duration of the HBase containers
-*  The user running HBase has the same identity as that of the HBase cluster.
+*  These credentials can outlive the duration of the application instances
+*  The user running the application has the same identity as that of the application.
+*  All application instances run by a single user can share the same machine-specific
+kerberos identities.
 
 ## Design
 
@@ -172,7 +173,7 @@ They can also be set on the Slider comma
 
     -S java.security.krb5.realm=MINICLUSTER  -S java.security.krb5.kdc=hadoop-kdc
 
-### Java Cryptography Exceptions 
+### Important: Java Cryptography Package  
 
 
 When trying to talk to a secure, cluster you may see the message:
@@ -184,6 +185,8 @@ needed to work with the keys that Kerber
 from Oracle (or other supplier of the JVM) and installed according to
 its accompanying instructions.
 
+
+
 ## Useful Links
 
 1. [Adding Security to Apache Hadoop](http://hortonworks.com/wp-content/uploads/2011/10/security-design_withCover-1.pdf)