hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gary Helmling (JIRA)" <j...@apache.org>
Subject [jira] Commented: (HBASE-3615) Implement token based DIGEST-MD5 authentication for MapReduce tasks
Date Mon, 14 Mar 2011 18:23:29 GMT

    [ https://issues.apache.org/jira/browse/HBASE-3615?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13006551#comment-13006551
] 

Gary Helmling commented on HBASE-3615:
--------------------------------------

Ah, good catch on the protocol annotations!  Yes, those definitely leak out the secure Hadoop
classes.  The token auth stuff will be handling in a secure RPC engine enabled via the pluggable
RPC engines configuration.  So the rest of the implementation will be separated out from the
standard HBaseClient/Server.  We can duplicate the annotation interfaces -- I'll look into
the implications of this for any lower level class dependencies.

For build, I'm thinking we have a separate optional build step (I guess practically this means
a separate maven module?) with an isolated dependency on secure Hadoop.  The module would
separate out source code for the secure RPC engine and AccessController coprocessor and generate
a separate jar for these two security products.  (Both are already configured in via class
names in hbase-site.xml and use established interfaces to prevent any direct dependencies
from core HBase code).  It sounds workable to me, but I'm too much of a maven noob to anticipate
how difficult it'll be.

I'd love to start working out the build details with people at the hackathon next week.  But
any thoughts before then are definitely welcome.

> Implement token based DIGEST-MD5 authentication for MapReduce tasks
> -------------------------------------------------------------------
>
>                 Key: HBASE-3615
>                 URL: https://issues.apache.org/jira/browse/HBASE-3615
>             Project: HBase
>          Issue Type: New Feature
>          Components: ipc, security
>            Reporter: Gary Helmling
>            Assignee: Gary Helmling
>             Fix For: 0.92.0
>
>
> HBase security currently supports Kerberos authentication for clients, but this isn't
sufficient for map-reduce interoperability, where tasks execute without Kerberos credentials.
 In order to fully interoperate with map-reduce clients, we will need to provide our own token
authentication mechanism, mirroring the Hadoop token authentication mechanisms.  This will
require obtaining an HBase authentication token for the user when the job is submitted, serializing
it to a secure location, and then, at task execution, having the client or task code de-serialize
the stored authentication token and use that in the HBase client authentication process.
> A detailed implementation proposal is sketched out on the wiki:
> http://wiki.apache.org/hadoop/Hbase/HBaseTokenAuthentication

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message