Return-Path: X-Original-To: apmail-hbase-issues-archive@www.apache.org Delivered-To: apmail-hbase-issues-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id ACC5610A56 for ; Tue, 10 Sep 2013 23:19:53 +0000 (UTC) Received: (qmail 59670 invoked by uid 500); 10 Sep 2013 23:19:53 -0000 Delivered-To: apmail-hbase-issues-archive@hbase.apache.org Received: (qmail 59628 invoked by uid 500); 10 Sep 2013 23:19:53 -0000 Mailing-List: contact issues-help@hbase.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list issues@hbase.apache.org Received: (qmail 59619 invoked by uid 99); 10 Sep 2013 23:19:53 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 10 Sep 2013 23:19:53 +0000 Date: Tue, 10 Sep 2013 23:19:53 +0000 (UTC) From: "Gary Helmling (JIRA)" To: issues@hbase.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (HBASE-9482) Do not enforce secure Hadoop for secure HBase MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HBASE-9482?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13763684#comment-13763684 ] Gary Helmling commented on HBASE-9482: -------------------------------------- Thanks [~adityakishore]. +1 from me on the updated patches. > Do not enforce secure Hadoop for secure HBase > --------------------------------------------- > > Key: HBASE-9482 > URL: https://issues.apache.org/jira/browse/HBASE-9482 > Project: HBase > Issue Type: Bug > Components: security > Affects Versions: 0.95.2, 0.94.11 > Reporter: Aditya Kishore > Assignee: Aditya Kishore > Labels: security > Fix For: 0.96.0 > > Attachments: HBASE-9482-0.94.patch, HBASE-9482-0.94.patch, HBASE-9482-0.94.patch, HBASE-9482.patch, HBASE-9482.patch, HBASE-9482.patch, HBASE-9482.patch > > > We should recommend and not enforce secure Hadoop underneath as a requirement to run secure HBase. > Few of our customers have HBase clusters which expose only HBase services to outside the physical network and no other services (including ssh) are accessible from outside of such cluster. > However they are forced to setup secure Hadoop and incur the penalty of security overhead at filesystem layer even if they do not need to. > The following code tests for both secure HBase and secure Hadoop. > {code:title=org.apache.hadoop.hbase.security.User|borderStyle=solid} > /** > * Returns whether or not secure authentication is enabled for HBase. Note that > * HBase security requires HDFS security to provide any guarantees, so this requires that > * both hbase.security.authentication and hadoop.security.authentication > * are set to kerberos. > */ > public static boolean isHBaseSecurityEnabled(Configuration conf) { > return "kerberos".equalsIgnoreCase(conf.get(HBASE_SECURITY_CONF_KEY)) && > "kerberos".equalsIgnoreCase( > conf.get(CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION)); > } > {code} > What is worse that if {{"hadoop.security.authentication"}} is not set to {{"kerberos"}} (undocumented at http://hbase.apache.org/book/security.html), all other configuration have no impact and HBase RPCs silently switch back to unsecured mode. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira