hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gary Helmling (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-15254) Support fixed domain name in Kerberos name for HBase replication cross realm trust setup
Date Fri, 12 Feb 2016 17:39:18 GMT

    [ https://issues.apache.org/jira/browse/HBASE-15254?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15144927#comment-15144927
] 

Gary Helmling commented on HBASE-15254:
---------------------------------------

bq. We simply ran the command add_peer '1', "server1.cie.com:2181:/hbase".

You can simply change this to:
{noformat}
add_peer '1', CLUSTER_KEY => "server1.cie.com:2181:/hbase",
    CONFIG => {
        'hbase.master.kerberos.principal' => 'hbase/instance2@REALM2.COM',
        'hbase.regionserver.kerberos.principal' => 'hbase/instance2@REALM2.COM',
    }
{noformat}

and replication should work.  Without HBASE-14866, I believe you will still have a problem
with the {{enable_table_replication}} shell command, but the patch in that issue should fix
it for you.  Yes, this is not well documented.  We should add it to the reference guide.

bq. Our idea to handle this issue was (similar to how Hadoop and Zookeeper work), we add a
new type in AuthMethod which will be used as a marker for server to identify whether client
has requested for its principal.

I agree that this would be more user friendly.  But would this leave the overall system less
secure?  I thought the reason for the client validating the server principal matches the expected
value was to avoid server impersonation (making the authentication mutual).  Would changing
the client to allow the server to send it's configured principal allow MITM attacks by anyone
with valid kerberos credentials, or do you see this being mitigated some other way?



> Support fixed domain name in Kerberos name for HBase replication cross realm trust setup
> ----------------------------------------------------------------------------------------
>
>                 Key: HBASE-15254
>                 URL: https://issues.apache.org/jira/browse/HBASE-15254
>             Project: HBase
>          Issue Type: Improvement
>            Reporter: Ashish Singhi
>            Assignee: Ashish Singhi
>              Labels: kerberos, replication, security
>
> HBase replication will not work with Kerberos cross realm trust when domain name in the
principal is not hostname. 
> A mail was also sent related to this in user mailing list, [mail | https://groups.google.com/forum/#!topic/nosql-databases/AYhQnU9Fc7E]
> The problem here is when ever a user adds a new host to cluster he/she also needs to
add a principal name for that host in KDC, generate a new keytab file and update it across
other hosts accordingly if required. 
> To save all this efforts users may prefer to have a fixed domain name in the principal
for all the hosts and in that case HBase replication will fail because currently we are using
client principal to create sasl client instead we need to use server principal to create sasl
client and establish the sasl context



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message