hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gary Helmling (Created) (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HBASE-4817) Simplify configuration of security components
Date Fri, 18 Nov 2011 01:37:52 GMT
Simplify configuration of security components
---------------------------------------------

                 Key: HBASE-4817
                 URL: https://issues.apache.org/jira/browse/HBASE-4817
             Project: HBase
          Issue Type: Improvement
          Components: security
            Reporter: Gary Helmling


The HBase security features were built to be optionally loadable, when desired, and it shows
through in the complexity of configuring security for operation.

In addition to the baseline configuration required for process keytab files and server principals,
the following properties need to be set to enable security:

{code}
<property>
 <name>hbase.security.authentication</name>
 <value>kerberos</value>
</property>
<property>
 <name>hbase.coprocessor.master.classes</name>
 <value>org.apache.hadoop.hbase.security.access.AccessController</value>
</property>
<property>
 <name>hbase.coprocessor.region.classes</name>
 <value>org.apache.hadoop.hbase.security.access.AccessController,org.apache.hadoop.hbase.security.token.TokenProvider</value>
</property>
<property>
 <name>hbase.rpc.engine</name>
 <value>org.apache.hadoop.hbase.ipc.SecureRpcEngine</value>
</property>
<property>
 <name>hbase.zookeeper.property.authProvider.1</name>
 <value>org.apache.zookeeper.server.auth.SASLAuthenticationProvider</value>
</property>
{code}

We should be able to simplify this and automatically setup the underlying code components
(required coprocessors, SecureRpcEngine) when some high level security flags are set.

For authentication and authorization, I'd like narrow it down to two simple configuration
properties.  When set, these would trigger automatic configuration of the required coprocessors/RpcEngine:

* {{hbase.security.authentication}} - when set to {{kerberos}}, this would automatically:
** set {{hbase.rpc.engine=org.apache.hadoop.hbase.ipc.SecureRpcEngine}}
** add {{org.apache.hadoop.hbase.security.token.TokenProvider}} to the configuration for {{hbase.coprocessor.region.classes}}
** possibly also set {{hbase.zookeeper.property.authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider}}
for zookeeper?
* {{hbase.security.authorization}} - when set to {{true}}, this would automatically:
** add {{org.apache.hadoop.hbase.security.access.AccessController}} to the configuration for
both {{hbase.coprocessor.master.classes}} and {{hbase.coprocessor.region.classes}}

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message