hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Purtell (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-9482) Do not enforce secure Hadoop for secure HBase
Date Tue, 10 Sep 2013 21:46:51 GMT

    [ https://issues.apache.org/jira/browse/HBASE-9482?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13763560#comment-13763560
] 

Andrew Purtell commented on HBASE-9482:
---------------------------------------

+1 from me
                
> Do not enforce secure Hadoop for secure HBase
> ---------------------------------------------
>
>                 Key: HBASE-9482
>                 URL: https://issues.apache.org/jira/browse/HBASE-9482
>             Project: HBase
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 0.95.2, 0.94.11
>            Reporter: Aditya Kishore
>            Assignee: Aditya Kishore
>              Labels: security
>             Fix For: 0.96.0
>
>         Attachments: HBASE-9482-0.94.patch, HBASE-9482-0.94.patch, HBASE-9482.patch,
HBASE-9482.patch, HBASE-9482.patch
>
>
> We should recommend and not enforce secure Hadoop underneath as a requirement to run
secure HBase.
> Few of our customers have HBase clusters which expose only HBase services to outside
the physical network and no other services (including ssh) are accessible from outside of
such cluster.
> However they are forced to setup secure Hadoop and incur the penalty of security overhead
at filesystem layer even if they do not need to.
> The following code tests for both secure HBase and secure Hadoop.
> {code:title=org.apache.hadoop.hbase.security.User|borderStyle=solid}
>   /**
>    * Returns whether or not secure authentication is enabled for HBase.  Note that
>    * HBase security requires HDFS security to provide any guarantees, so this requires
that
>    * both <code>hbase.security.authentication</code> and <code>hadoop.security.authentication</code>
>    * are set to <code>kerberos</code>.
>    */
>   public static boolean isHBaseSecurityEnabled(Configuration conf) {
>     return "kerberos".equalsIgnoreCase(conf.get(HBASE_SECURITY_CONF_KEY)) &&
>         "kerberos".equalsIgnoreCase(
>             conf.get(CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION));
>   }
> {code}
> What is worse that if {{"hadoop.security.authentication"}} is not set to {{"kerberos"}}
(undocumented at http://hbase.apache.org/book/security.html), all other configuration have
no impact and HBase RPCs silently switch back to unsecured mode.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message