Return-Path: 
 <commits-return-22750-apmail-hbase-commits-archive=hbase.apache.org@hbase.apache.org>
X-Original-To: apmail-hbase-commits-archive@www.apache.org
Delivered-To: apmail-hbase-commits-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 25A5917820
	for <apmail-hbase-commits-archive@www.apache.org>;
 Thu, 12 Feb 2015 04:11:05 +0000 (UTC)
Received: (qmail 22060 invoked by uid 500); 12 Feb 2015 04:11:05 -0000
Delivered-To: apmail-hbase-commits-archive@hbase.apache.org
Received: (qmail 22010 invoked by uid 500); 12 Feb 2015 04:11:05 -0000
Mailing-List: contact commits-help@hbase.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:commits-help@hbase.apache.org>
List-Unsubscribe: <mailto:commits-unsubscribe@hbase.apache.org>
List-Post: <mailto:commits@hbase.apache.org>
List-Id: <commits.hbase.apache.org>
Reply-To: dev@hbase.apache.org
Delivered-To: mailing list commits@hbase.apache.org
Received: (qmail 22001 invoked by uid 99); 12 Feb 2015 04:11:05 -0000
Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org)
 (140.211.11.23)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 12 Feb 2015 04:11:05 +0000
Received: by git1-us-west.apache.org (ASF Mail Server at
 git1-us-west.apache.org, from userid 33)
	id BE82DE01CB; Thu, 12 Feb 2015 04:11:04 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: misty@apache.org
To: commits@hbase.apache.org
Message-Id: <e766857a0f82465a8d09c32f062b805f@git.apache.org>
X-Mailer: ASF-Git Admin Mailer
Subject: hbase git commit: HBASE-12168 Document Rest gateway SPNEGO-based
 authentication for client <Jerry He>
Date: Thu, 12 Feb 2015 04:11:04 +0000 (UTC)

Repository: hbase
Updated Branches:
  refs/heads/master e83444e84 -> b51f5dc12


HBASE-12168 Document Rest gateway SPNEGO-based authentication for client
<Jerry He>


Project: http://git-wip-us.apache.org/repos/asf/hbase/repo
Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/b51f5dc1
Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/b51f5dc1
Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/b51f5dc1

Branch: refs/heads/master
Commit: b51f5dc120d322786eb09905359e6d4143bd190e
Parents: e83444e
Author: Misty Stanley-Jones <mstanleyjones@cloudera.com>
Authored: Thu Feb 12 14:10:32 2015 +1000
Committer: Misty Stanley-Jones <mstanleyjones@cloudera.com>
Committed: Thu Feb 12 14:10:37 2015 +1000

----------------------------------------------------------------------
 src/main/asciidoc/_chapters/security.adoc | 28 ++++++++++++++++++++++----
 1 file changed, 24 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hbase/blob/b51f5dc1/src/main/asciidoc/_chapters/security.adoc
----------------------------------------------------------------------
diff --git a/src/main/asciidoc/_chapters/security.adoc b/src/main/asciidoc/_chapters/security.adoc
index 9cffbdb..072f251 100644
--- a/src/main/asciidoc/_chapters/security.adoc
+++ b/src/main/asciidoc/_chapters/security.adoc
@@ -270,8 +270,6 @@ Add the following to the `hbase-site.xml` file for every REST gateway:
 Substitute the appropriate credential and keytab for _$USER_ and _$KEYTAB_ respectively.
 
 The REST gateway will authenticate with HBase using the supplied credential.
-No authentication will be performed by the REST gateway itself.
-All client access via the REST gateway will use the REST gateway's credential and have its privilege.
 
 In order to use the REST API principal to interact with HBase, it is also necessary to add the `hbase.rest.kerberos.principal` to the `_acl_` table.
 For example, to give the REST API principal, `rest_server`, administrative access, a command such as this one will suffice:
@@ -283,8 +281,30 @@ grant 'rest_server', 'RWCA'
 
 For more information about ACLs, please see the <<hbase.accesscontrol.configuration>> section
 
-It should be possible for clients to authenticate with the HBase cluster through the REST gateway in a pass-through manner via SPNEGO HTTP authentication.
-This is future work.
+HBase REST gateway supports link:http://hadoop.apache.org/docs/stable/hadoop-auth/index.html[SPNEGO HTTP authentication] for client access to the gateway.
+To enable REST gateway Kerberos authentication for client access, add the following to the `hbase-site.xml` file for every REST gateway.
+
+[source,xml]
+----
+<property>
+  <name>hbase.rest.authentication.type</name>
+  <value>kerberos</value>
+</property>
+<property>
+  <name>hbase.rest.authentication.kerberos.principal</name>
+  <value>HTTP/_HOST@HADOOP.LOCALDOMAIN</value>
+</property>
+<property>
+  <name>hbase.rest.authentication.kerberos.keytab</name>
+  <value>$KEYTAB</value>
+</property>
+----
+
+Substitute the keytab for HTTP for _$KEYTAB_.
+
+HBase REST gateway supports different 'hbase.rest.authentication.type': simple, kerberos.
+You can also implement a custom authentication by implemening Hadoop AuthenticationHandler, then specify the full class name as 'hbase.rest.authentication.type' value.
+For more information, refer to link:http://hadoop.apache.org/docs/stable/hadoop-auth/index.html[SPNEGO HTTP authentication].
 
 [[security.rest.gateway]]
 === REST Gateway Impersonation Configuration