hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Purtell (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-14700) Support a "permissive" mode for secure clusters to allow "simple" auth clients
Date Wed, 28 Oct 2015 17:37:27 GMT

    [ https://issues.apache.org/jira/browse/HBASE-14700?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14978847#comment-14978847

Andrew Purtell commented on HBASE-14700:

The patch lgtm. I like the new metric. 

I can see why you might want this at TRACE level but I'd actually suggest WARN. Suggest also
recording the user in this log line. Will be a PITA when the envisioned migration begins with
most clients only capable of simple auth but very useful once there are just a handful of
stragglers and every instance of this log line will be actionable. 
1530	        if (allowFallbackToSimpleAuth) {
1531	          metrics.authenticationFallback();
1532	          if (LOG.isTraceEnabled()) {
1533	            LOG.trace("Falling back to SIMPLE auth for connection from " + getHostAddress());
1534	          }
1535	        } else {

If we have fallbacks enabled both on client and server, then would it be the case if Kerberos
auth fails we'd get a successful negotiation with SIMPLE auth, and with an audit record in
the log and increment of relevant metric? That could also be useful in some settings. 

> Support a "permissive" mode for secure clusters to allow "simple" auth clients
> ------------------------------------------------------------------------------
>                 Key: HBASE-14700
>                 URL: https://issues.apache.org/jira/browse/HBASE-14700
>             Project: HBase
>          Issue Type: Improvement
>          Components: security
>            Reporter: Gary Helmling
>            Assignee: Gary Helmling
>             Fix For: 2.0.0
>         Attachments: HBASE-14700-v2.patch, HBASE-14700.patch
> When implementing HBase security for an existing cluster, it can be useful to support
mixed secure and insecure clients while all client configurations are migrated over to secure
> We currently have an option to allow secure clients to fallback to simple auth against
insecure clusters.  By providing an analogous setting for servers, we would allow a phased
rollout of security:
> # First, security can be enabled on the cluster servers, with the "permissive" mode enabled
> # Clients can be converting to using secure authentication incrementally
> # The server audit logs allow identification of clients still using simple auth to connect
> # Finally, when sufficient clients have been converted to secure operation, the server-side
"permissive" mode can be removed, allowing completely secure operation.
> Obviously with this enabled, there is no effective access control, but this would still
be a useful tool to enable a smooth operational rollout of security.  Permissive mode would
of course be disabled by default.  Enabling it should provide a big scary warning in the logs
on startup, and possibly be flagged on relevant UIs.

This message was sent by Atlassian JIRA

View raw message