hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Purtell (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-14700) Support a "permissive" mode for secure clusters to allow "simple" auth clients
Date Wed, 28 Oct 2015 21:59:27 GMT

    [ https://issues.apache.org/jira/browse/HBASE-14700?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14979315#comment-14979315

Andrew Purtell commented on HBASE-14700:

bq. Hmm, I originally thought that we could get this same info from the audit log, but, looking
now, the audit log entry is written in saslReadAndProcess(), so it would never be called for
these fallback authentications. I can defer the logging until after the connection header
is read so that we can log the username as well. Agree that that is critical information.
Seems like we would want these present in the audit log as well, with SIMPLE for the auth


bq. I suppose if the negotiation fails, then if the server-side fallback flag in enabled,
we could add a check to send the SWITCH_TO_SIMPLE_AUTH response. That could allow things to
continue working in an insecure manner, but could also mask client-side misconfigurations.
If you still think it's worthwhile, maybe we should open a separate JIRA to discuss implications?

Sure, worth following up on separately

> Support a "permissive" mode for secure clusters to allow "simple" auth clients
> ------------------------------------------------------------------------------
>                 Key: HBASE-14700
>                 URL: https://issues.apache.org/jira/browse/HBASE-14700
>             Project: HBase
>          Issue Type: Improvement
>          Components: security
>            Reporter: Gary Helmling
>            Assignee: Gary Helmling
>             Fix For: 2.0.0
>         Attachments: HBASE-14700-v2.patch, HBASE-14700.patch
> When implementing HBase security for an existing cluster, it can be useful to support
mixed secure and insecure clients while all client configurations are migrated over to secure
> We currently have an option to allow secure clients to fallback to simple auth against
insecure clusters.  By providing an analogous setting for servers, we would allow a phased
rollout of security:
> # First, security can be enabled on the cluster servers, with the "permissive" mode enabled
> # Clients can be converting to using secure authentication incrementally
> # The server audit logs allow identification of clients still using simple auth to connect
> # Finally, when sufficient clients have been converted to secure operation, the server-side
"permissive" mode can be removed, allowing completely secure operation.
> Obviously with this enabled, there is no effective access control, but this would still
be a useful tool to enable a smooth operational rollout of security.  Permissive mode would
of course be disabled by default.  Enabling it should provide a big scary warning in the logs
on startup, and possibly be flagged on relevant UIs.

This message was sent by Atlassian JIRA

View raw message