hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mikhail Antonov (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-2016) [DAC] Authentication
Date Fri, 08 Nov 2013 21:31:19 GMT

    [ https://issues.apache.org/jira/browse/HBASE-2016?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13817703#comment-13817703

Mikhail Antonov commented on HBASE-2016:

I see, thanks for the comment Andrew.

I'm actually looking for the deployment picture, when I can avoid having kerberos principals
for end customer of HBase Shell, but it looks like it's not supported now?

What I'm trying to do is following: 

 - Namenode/JT are secured already and have kerberos principals
 - HiveServer2 is already secured in our installation, and configured in such a way that HS
itself has kerberos principals, but end users log in via LDAP and their credentials are passed
to NN/JT as proxied kerberos tickets. So impersonation works just fine, like in Oozie and
other "service-style" entities
 - HBase REST seems to support impersonation

But, I don't see an option to allow end users of HBase Shell (John Smith) to authenticate
via LDAP (without creating trusted bridge between Kerberos and AD, since it may be arbitrary
LDAP server), and then get his credentials to be proxied via some service Kerberos principal
and to be passed to HBase (something like "jsmith via hbase-shell-user/domain@REALM"). 

Is there any support for that, or am I missing something?

> [DAC] Authentication
> --------------------
>                 Key: HBASE-2016
>                 URL: https://issues.apache.org/jira/browse/HBASE-2016
>             Project: HBase
>          Issue Type: Sub-task
>          Components: security
>            Reporter: Andrew Purtell
>            Assignee: Gary Helmling
> Follow what Hadoop is doing. Authentication via JAAS: 
>     http://issues.apache.org/jira/browse/HADOOP-6299
>     http://java.sun.com/javase/6/docs/technotes/guides/security/jaas/JAASRefGuide.html
> Should support Kerberos, Unix, and LDAP authentication options. 
> Integrate with authentication mechanisms for IPC and HDFS. 

This message was sent by Atlassian JIRA

View raw message