hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dilli Arumugam (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-9866) Support the mode where REST server authorizes proxy users
Date Thu, 31 Oct 2013 21:55:17 GMT

    [ https://issues.apache.org/jira/browse/HBASE-9866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13810773#comment-13810773
] 

Dilli Arumugam commented on HBASE-9866:
---------------------------------------

In response to Question from Jimmy

Why do we need this? REST server does support proxy users. You should use -u to specify the
user, right?
curl -i --negotiate -u <USER>/DOMAIN http://<HOST>:<PORT>/version/cluster

We need this for Apache Knox.
Apache Knox provides perimeter security.
The flow would be 
Rest Client -> Knox -> HBase Rest Gateway
Knox authenticates its Rest client using Http Basic.
Knox itself authenticates to HBase Rest Gateway using SPNego.
Then, Knox proxies for the end user.
So, HBase Rest gateway should allow Knox to pass doAs parameter with the value of end user
identity.


> Support the mode where REST server authorizes proxy users
> ---------------------------------------------------------
>
>                 Key: HBASE-9866
>                 URL: https://issues.apache.org/jira/browse/HBASE-9866
>             Project: HBase
>          Issue Type: Improvement
>            Reporter: Devaraj Das
>            Assignee: Devaraj Das
>             Fix For: 0.96.1
>
>         Attachments: 9866-1.txt
>
>
> In one use case, someone was trying to authorize with the REST server as a proxy user.
That mode is not supported today. 
> The curl request would be something like (assuming SPNEGO auth) - 
> {noformat}
> curl -i --negotiate -u : http://<HOST>:<PORT>/version/cluster?doas=<USER>
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.1#6144)

Mime
View raw message