14.9. Kerberos¶
GeoMesa includes initial support for Accumulo clusters which are authenticated using Kerberos. Currently keytabs
(and not cached TGTs) are supported, apart from initial setup which requires a cached TGT, usually obtained using kinit
.
Note
Kerberos support is a beta-level feature, and hasn’t been extensively tested with different environments and versions of Accumulo.
Kerberos functionality should be used as follows:
setup_namespace.sh
should be called with the-t
flag to use a cached TGT.geomesa-accumulo
command line tools should be used with the--keytab
parameter. EnsureACCUMULO_HOME
andHADOOP_HOME
are both set.Programmatic access via the GeoTools API should specify the
accumulo.keytab.path
parameter.The GeoServer store should specify the
accumulo.keytab.path
parameter. Ensurecore-site.xml
is accessible to GeoServer e.g. in thewebapps/geoserver/WEB-INF/classes/
directory.
14.9.1. Development & Testing¶
GeoMesa Kerberos support was developed against Hortonworks Data Platform 2.5 authenticating against an MIT KDC as described here. It has been tested in a limited production environment with Hortonworks Data Platform 2.5 authenticating against a Red Hat Identity Management server.