hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Purtell (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-10646) Enable security features by default for 1.0
Date Wed, 05 Mar 2014 01:33:45 GMT

    [ https://issues.apache.org/jira/browse/HBASE-10646?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13920370#comment-13920370
] 

Andrew Purtell commented on HBASE-10646:
----------------------------------------

bq. Does "merging" the secure rpc into the normal rpc make sense – a negotiation at connection
time and a runtime variable that says requires or doesn't require secure rpc

The other security features that depend on subject identity not being spoofed won't provide
any assurance unless strong authentication is in effect.

bq. Can we just have a single security == true or security  == false config property? 

Yes I think that makes sense. It could enable the majority of features. It could enable secure
HBase RPC, set up ZooKeeper so we restrict internal znodes with SASL ACLs, and trigger enumeration
of security coprocessors to be loaded as system coprocessors,  

Specifically excluded should be the encrypting WAL writer. By its nature encryption introduces
latency, and on the WAL that lowers the ceiling on systemwide write throughput. We can discuss
this further on HBASE-10077 and HBASE-10095 maybe.

> Enable security features by default for 1.0
> -------------------------------------------
>
>                 Key: HBASE-10646
>                 URL: https://issues.apache.org/jira/browse/HBASE-10646
>             Project: HBase
>          Issue Type: Task
>    Affects Versions: 0.99.0
>            Reporter: Andrew Purtell
>            Assignee: Andrew Purtell
>
> As discussed in the last PMC meeting, we should enable security features by default in
1.0.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message