hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Apekshit Sharma (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-14700) Support a "permissive" mode for secure clusters to allow "simple" auth clients
Date Tue, 27 Oct 2015 03:45:27 GMT

    [ https://issues.apache.org/jira/browse/HBASE-14700?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14975648#comment-14975648

Apekshit Sharma commented on HBASE-14700:

Looking at code, it seems like there exists a way of doing it other way round. I haven't tried
it myself.
# Client switches to Sasl with [fallbackAllowed|https://github.com/apache/hbase/blob/master/hbase-client/src/main/java/org/apache/hadoop/hbase/ipc/AbstractRpcClient.java#L72].
Till Server has security turned off, it'll prompt client to use simple authentication [here|https://github.com/apache/hbase/blob/master/hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/RpcServer.java#L1527]
# Turn on security on server
# Turn off fallback on client side.

But, there is a big drawback in this method. It can cause service outage if clients aren't
configured properly and server side security is turned on. Compared to that, your idea wins
big time since it'll allow the clients to migrate one at a time, which gives the ability to
control the impact if failure happens.

Are there any other ideas you have in mind?

> Support a "permissive" mode for secure clusters to allow "simple" auth clients
> ------------------------------------------------------------------------------
>                 Key: HBASE-14700
>                 URL: https://issues.apache.org/jira/browse/HBASE-14700
>             Project: HBase
>          Issue Type: Improvement
>          Components: security
>            Reporter: Gary Helmling
>            Assignee: Gary Helmling
> When implementing HBase security for an existing cluster, it can be useful to support
mixed secure and insecure clients while all client configurations are migrated over to secure
> We currently have an option to allow secure clients to fallback to simple auth against
insecure clusters.  By providing an analogous setting for servers, we would allow a phased
rollout of security:
> #. First, security can be enabled on the cluster servers, with the "permissive" mode
> #. Clients can be converting to using secure authentication incrementally
> #. The server audit logs allow identification of clients still using simple auth to connect
> #. Finally, when sufficient clients have been converted to secure operation, the server-side
"permissive" mode can be removed, allowing completely secure operation.
> Obviously with this enabled, there is no effective access control, but this would still
be a useful tool to enable a smooth operational rollout of security.  Permissive mode would
of course be disabled by default.  Enabling it should provide a big scary warning in the logs
on startup, and possibly be flagged on relevant UIs.

This message was sent by Atlassian JIRA

View raw message