Re: Review Request 28834: SQOOP-1755: Sqoop2: Security guide

Abraham Elmahrek Tue, 09 Dec 2014 08:17:19 -0800

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/28834/#review64377
-----------------------------------------------------------



A few comments! Good first shot!


docs/src/site/sphinx/KerberosOnSqoop2.rst
<https://reviews.apache.org/r/28834/#comment107041>

    Security Guide?



docs/src/site/sphinx/KerberosOnSqoop2.rst
<https://reviews.apache.org/r/28834/#comment107040>

    Maybe rephrase: Sqoop2 provides 2 types of authentication: simple and 
kerberos. The authentication module is pluggable, so more authentication types 
can be added.
    
    Let's not put specific company names here?



docs/src/site/sphinx/KerberosOnSqoop2.rst
<https://reviews.apache.org/r/28834/#comment107063>

    Maybe move down to the "Kerberos Authentication" section? This guide seems 
to be describing Simple Authentication, Kerberos Authentication, and even 
Custom Authentication.



docs/src/site/sphinx/KerberosOnSqoop2.rst
<https://reviews.apache.org/r/28834/#comment107066>

    The documentation should be somewhat referrential. So lets remove this?



docs/src/site/sphinx/KerberosOnSqoop2.rst
<https://reviews.apache.org/r/28834/#comment107042>

    Replace with a basic description of Simple Authentication?



docs/src/site/sphinx/KerberosOnSqoop2.rst
<https://reviews.apache.org/r/28834/#comment107070>

    Simple authentication is used by default. Commenting out authentication 
configuration will yield the use of simple authentication.



docs/src/site/sphinx/KerberosOnSqoop2.rst
<https://reviews.apache.org/r/28834/#comment107044>

    "Dependency"?



docs/src/site/sphinx/KerberosOnSqoop2.rst
<https://reviews.apache.org/r/28834/#comment107045>

    It's difficult to cover every way kerberos can be setup (ie: there are 
cross realm setups and multi-trust environments). The content in this section 
is a great example of one configuration. Maybe phrase it as such? To be more 
explicit, maybe we can say that this section will describe how to setup the 
sqoop principals with a local deployment of MIT kerberos.
    
    Also, there are different KDC providers out there: Microsoft 
ActiveDirectory provides a KDC as well I believe.



docs/src/site/sphinx/KerberosOnSqoop2.rst
<https://reviews.apache.org/r/28834/#comment107048>

    "All components in the Hadoop ecosystem must be kerberized"?
    
    I believe non-kerberized data sources are still supported.



docs/src/site/sphinx/KerberosOnSqoop2.rst
<https://reviews.apache.org/r/28834/#comment107047>

    Good idea!



docs/src/site/sphinx/KerberosOnSqoop2.rst
<https://reviews.apache.org/r/28834/#comment107046>

    I'm not sure that tying Sqoop to CDH documentation in the code docs is a 
good idea. Let's remove this line?



docs/src/site/sphinx/KerberosOnSqoop2.rst
<https://reviews.apache.org/r/28834/#comment107052>

    'kadmin.local' is for a local deployment of a KDC. Otherwise it would be 
'kadmin'.



docs/src/site/sphinx/KerberosOnSqoop2.rst
<https://reviews.apache.org/r/28834/#comment107054>

    I beliee <FQDN> in the principal is actually an "instance" string. In 
hadoop world, the "instance" string should be the FQDN because it's used by 
hadoop-auth to resolve service locations.
    
    Given this, can we add a comment describing why FQDN is used in the 
"instance" string?



docs/src/site/sphinx/KerberosOnSqoop2.rst
<https://reviews.apache.org/r/28834/#comment107055>

    "export SQOOP2_HOST=$(hostname -f)" using shell expansion?



docs/src/site/sphinx/KerberosOnSqoop2.rst
<https://reviews.apache.org/r/28834/#comment107059>

    If the Sqoop server has started successfully with Kerberos authentication, 
the following line will be in <@LOGDIR>/sqoop.log:



docs/src/site/sphinx/KerberosOnSqoop2.rst
<https://reviews.apache.org/r/28834/#comment107062>

    If the Sqoop client was able to communicate with the Sqoop server, the 
following will be in <Sqoop Folder>/server/log/catalina.out:



docs/src/site/sphinx/KerberosOnSqoop2.rst
<https://reviews.apache.org/r/28834/#comment107071>

    Users can create their own authentication modules. By performing the 
following steps:



docs/src/site/sphinx/KerberosOnSqoop2.rst
<https://reviews.apache.org/r/28834/#comment107072>

    Perhaps a code example here? Something simple like an "always 
authenticated" handler?


- Abraham Elmahrek


On Dec. 9, 2014, 2:19 a.m., richard zhou wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/28834/
> -----------------------------------------------------------
> 
> (Updated Dec. 9, 2014, 2:19 a.m.)
> 
> 
> Review request for Sqoop.
> 
> 
> Repository: sqoop-sqoop2
> 
> 
> Description
> -------
> 
> Given Kerberos has been implemented and sqoop2 now provides SPNEGO, it would 
> be nice to have a security guide which explains the following:
> Features.
> High level design.
> Usage.
> 
> 
> Diffs
> -----
> 
>   docs/src/site/sphinx/KerberosOnSqoop2.rst PRE-CREATION 
> 
> Diff: https://reviews.apache.org/r/28834/diff/
> 
> 
> Testing
> -------
> 
> 
> Thanks,
> 
> richard zhou
> 
>

Re: Review Request 28834: SQOOP-1755: Sqoop2: Security guide

Reply via email to