hbase-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mi...@apache.org
Subject hbase git commit: HBASE-12168 Document Rest gateway SPNEGO-based authentication for client <Jerry He>
Date Thu, 12 Feb 2015 04:11:04 GMT
Repository: hbase
Updated Branches:
  refs/heads/master e83444e84 -> b51f5dc12


HBASE-12168 Document Rest gateway SPNEGO-based authentication for client
<Jerry He>


Project: http://git-wip-us.apache.org/repos/asf/hbase/repo
Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/b51f5dc1
Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/b51f5dc1
Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/b51f5dc1

Branch: refs/heads/master
Commit: b51f5dc120d322786eb09905359e6d4143bd190e
Parents: e83444e
Author: Misty Stanley-Jones <mstanleyjones@cloudera.com>
Authored: Thu Feb 12 14:10:32 2015 +1000
Committer: Misty Stanley-Jones <mstanleyjones@cloudera.com>
Committed: Thu Feb 12 14:10:37 2015 +1000

----------------------------------------------------------------------
 src/main/asciidoc/_chapters/security.adoc | 28 ++++++++++++++++++++++----
 1 file changed, 24 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hbase/blob/b51f5dc1/src/main/asciidoc/_chapters/security.adoc
----------------------------------------------------------------------
diff --git a/src/main/asciidoc/_chapters/security.adoc b/src/main/asciidoc/_chapters/security.adoc
index 9cffbdb..072f251 100644
--- a/src/main/asciidoc/_chapters/security.adoc
+++ b/src/main/asciidoc/_chapters/security.adoc
@@ -270,8 +270,6 @@ Add the following to the `hbase-site.xml` file for every REST gateway:
 Substitute the appropriate credential and keytab for _$USER_ and _$KEYTAB_ respectively.
 
 The REST gateway will authenticate with HBase using the supplied credential.
-No authentication will be performed by the REST gateway itself.
-All client access via the REST gateway will use the REST gateway's credential and have its
privilege.
 
 In order to use the REST API principal to interact with HBase, it is also necessary to add
the `hbase.rest.kerberos.principal` to the `_acl_` table.
 For example, to give the REST API principal, `rest_server`, administrative access, a command
such as this one will suffice:
@@ -283,8 +281,30 @@ grant 'rest_server', 'RWCA'
 
 For more information about ACLs, please see the <<hbase.accesscontrol.configuration>>
section
 
-It should be possible for clients to authenticate with the HBase cluster through the REST
gateway in a pass-through manner via SPNEGO HTTP authentication.
-This is future work.
+HBase REST gateway supports link:http://hadoop.apache.org/docs/stable/hadoop-auth/index.html[SPNEGO
HTTP authentication] for client access to the gateway.
+To enable REST gateway Kerberos authentication for client access, add the following to the
`hbase-site.xml` file for every REST gateway.
+
+[source,xml]
+----
+<property>
+  <name>hbase.rest.authentication.type</name>
+  <value>kerberos</value>
+</property>
+<property>
+  <name>hbase.rest.authentication.kerberos.principal</name>
+  <value>HTTP/_HOST@HADOOP.LOCALDOMAIN</value>
+</property>
+<property>
+  <name>hbase.rest.authentication.kerberos.keytab</name>
+  <value>$KEYTAB</value>
+</property>
+----
+
+Substitute the keytab for HTTP for _$KEYTAB_.
+
+HBase REST gateway supports different 'hbase.rest.authentication.type': simple, kerberos.
+You can also implement a custom authentication by implemening Hadoop AuthenticationHandler,
then specify the full class name as 'hbase.rest.authentication.type' value.
+For more information, refer to link:http://hadoop.apache.org/docs/stable/hadoop-auth/index.html[SPNEGO
HTTP authentication].
 
 [[security.rest.gateway]]
 === REST Gateway Impersonation Configuration


Mime
View raw message