Marc, Right, gRPC supports other alternatives as well for authentication. I'm not sure what we would actually support at this point if we went with gRPC, but there are options. I think the main issue is Kerberos doesn't really work over HTTP/2 from what I have found when researching.
And I guess that brings up another point. I'm not sure how much people can disclose because of the sensitivity of security, but for the users who are using Kerberos support, is support only used for HDFS or also clients? Something else to note is that because the main motivation is the RPC layer and gRPC not supporting Kerberos, we could probably still support Accumulo servers using Kerberos to talk to HDFS even if the RPC layer for clients did not support it. This would need to be discussed more but I think it should be doable. A few more details if anyone is curious: Because gRPC is Netty/Http2 based, it would provide some really nice improvements including better async support, multiplexing, flow control and bi-directional streaming. The async support was the specific use case to help solve https://github.com/apache/accumulo/issues/4664 that got the conversation started. I created a draft/prototype PR https://github.com/apache/accumulo/pull/4715 which implements gRPC for the compaction coordinator service and works quite nicely to handle that use case. Thrift does have some async support but is currently limited (does not support multiplexing for example). Anyways, that is a bit more about the background on the motivation for the possible change. Chris On Fri, Aug 23, 2024 at 5:29 PM Marc P. <marc.par...@gmail.com> wrote: > Hi Chris S, > > Thank you for that context. Based on my experience with gRPC my response > would change. > > I can only speak for myself, but I don't believe the removal of Kerberos > would be a blocker since acceptable alternatives exist within the > ecosystem. > > Thanks, > Marc > > On Fri, Aug 23, 2024 at 3:38 PM Christopher Shannon < > christopher.l.shan...@gmail.com> wrote: > > > To provide some more context, we are exploring other alternatives besides > > Thrift for the RPC layer. Specifically I’ve been prototyping gRPC, which > > has some nice benefits and features, but it is based on Netty snd HTTP/2 > > and does not support Kerberos or SASL. > > > > On Fri, Aug 23, 2024 at 2:01 PM Marc Parisi <phroc...@apache.org> wrote: > > > >> I've struggled to get customers to engage in mailing lists -- not just > >> for Apache Accumulo -- but other open source projects -- so I'm afraid I > >> cannot share the same opinion on the need for formality -- especially > since > >> this revolves around a security focused feature. > >> > >> In my personal experience vendors who support projects directly are a > bit > >> more vocal but companies who use a project ( and are generally more > focused > >> on BL) are reluctant to engage -- and, a few in my experience, forbade > it > >> from their vendors until they determined it safe to do so. > >> > >> With that said I have a customer for whom I cannot speak publicly. > Would > >> they have an issue if support was removed? *Yes.* > >> > >> I know others on this list are in the same situation. I will do my best > >> to coax them into contributing something if they can. > >> > >> Best of luck gathering feedback. > >> > >> Thanks, > >> Marc > >> > >> > >> On Fri, Aug 23, 2024 at 1:34 PM Christopher <ctubb...@apache.org> > wrote: > >> > >>> The ASF doesn't have a formal system on which we could reliably conduct > >>> such a poll. This is just an informal open discussion with mailing list > >>> subscribers. If somebody wanted to gather anonymous poll data and > >>> contribute it to the discussion here, they are welcome to do that, and > we > >>> can consider its utility at that time if it happens, but I don't think > it's > >>> necessary to formalize a poll and add anonymity as a first attempt to > get > >>> feedback from users here. It's not a particularly sensitive question > to ask > >>> whether users would be impacted by the removal of any particular > feature. > >>> If users have sensitivities in answering, they can just be terse in > their > >>> response, respond privately off list, through a proxy, or not at all. > We > >>> can already expect that any responses will not be a complete picture > >>> anyway, since not every user is subscribed to the mailing list. This is > >>> just a best effort attempt to get some initial feedback. > >>> > >>> On Fri, Aug 23, 2024, 13:20 Marc Parisi <phroc...@apache.org> wrote: > >>> > >>>> Would the data be any less useful if this were an anonymous poll? > >>>> > >>>> > >>>> > >>>> On Fri, Aug 23, 2024 at 12:52 PM Christopher Shannon < > >>>> christopher.l.shan...@gmail.com> wrote: > >>>> > >>>> > Oops, I cc'd the wrong dev list so make sure responses go to the > >>>> right one. > >>>> > > >>>> > On Fri, Aug 23, 2024 at 12:50 PM Christopher Shannon < > >>>> > christopher.l.shan...@gmail.com> wrote: > >>>> > > >>>> >> Hello Apache Accumulo Users, > >>>> >> > >>>> >> The Accumulo PMC would like to get some feedback on how widely used > >>>> >> Kerberos[1] support currently is with existing users. Specifically > >>>> we would > >>>> >> like some feedback on the following questions: > >>>> >> > >>>> >> 1) Who is currently using Kerberos support with Apache Accumulo? > >>>> >> 2) If you are using it, would you have an issue if support was > >>>> removed in > >>>> >> a future version? > >>>> >> > >>>> >> Thank you. > >>>> >> > >>>> >> [1] https://accumulo.apache.org/docs/2.x/security/kerberos > >>>> >> > >>>> > > >>>> > >>> >
