Return-Path: <issues-return-242082-archive-asf-public=cust-asf.ponee.io@hbase.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 2A907200AEF
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Wed,  4 May 2016 03:31:15 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id 29C821609F5; Wed,  4 May 2016 03:31:15 +0200 (CEST)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 7226E1609F6
	for <archive-asf-public@cust-asf.ponee.io>; Wed,  4 May 2016 03:31:14 +0200 (CEST)
Received: (qmail 8062 invoked by uid 500); 4 May 2016 01:31:13 -0000
Mailing-List: contact issues-help@hbase.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:issues-help@hbase.apache.org>
List-Unsubscribe: <mailto:issues-unsubscribe@hbase.apache.org>
List-Post: <mailto:issues@hbase.apache.org>
List-Id: <issues.hbase.apache.org>
Delivered-To: mailing list issues@hbase.apache.org
Received: (qmail 7846 invoked by uid 99); 4 May 2016 01:31:13 -0000
Received: from arcas.apache.org (HELO arcas) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 04 May 2016 01:31:13 +0000
Received: from arcas.apache.org (localhost [127.0.0.1])
	by arcas (Postfix) with ESMTP id 01BEE2C1F71
	for <issues@hbase.apache.org>; Wed,  4 May 2016 01:31:13 +0000 (UTC)
Date: Wed, 4 May 2016 01:31:13 +0000 (UTC)
From: "Josh Elser (JIRA)" <jira@apache.org>
To: issues@hbase.apache.org
Message-ID: <JIRA.12539981.1327623224000.104491.1462325473005@Atlassian.JIRA>
In-Reply-To: <JIRA.12539981.1327623224000@Atlassian.JIRA>
References: <JIRA.12539981.1327623224000@Atlassian.JIRA> <JIRA.12539981.1327623224212@arcas>
Subject: [jira] [Updated] (HBASE-5291) Add Kerberos HTTP SPNEGO
 authentication support to HBase web consoles
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394
archived-at: Wed, 04 May 2016 01:31:15 -0000


     [ https://issues.apache.org/jira/browse/HBASE-5291?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Josh Elser updated HBASE-5291:
------------------------------
    Fix Version/s: 2.0.0

> Add Kerberos HTTP SPNEGO authentication support to HBase web consoles
> ---------------------------------------------------------------------
>
>                 Key: HBASE-5291
>                 URL: https://issues.apache.org/jira/browse/HBASE-5291
>             Project: HBase
>          Issue Type: Improvement
>          Components: master, regionserver, security
>            Reporter: Andrew Purtell
>            Assignee: Josh Elser
>             Fix For: 2.0.0
>
>         Attachments: HBASE-5291.001.patch
>
>
> Like HADOOP-7119, the same motivations:
> {quote}
> Hadoop RPC already supports Kerberos authentication. 
> {quote}
> As does the HBase secure RPC engine.
> {quote}
> Kerberos enables single sign-on.
> Popular browsers (Firefox and Internet Explorer) have support for Kerberos HTTP SPNEGO.
> Adding support for Kerberos HTTP SPNEGO to [HBase] web consoles would provide a unified authentication mechanism and single sign-on for web UI and RPC.
> {quote}
> Also like HADOOP-7119, the same solution:
> A servlet filter is configured in front of all Hadoop web consoles for authentication.
> This filter verifies if the incoming request is already authenticated by the presence of a signed HTTP cookie. If the cookie is present, its signature is valid and its value didn't expire; then the request continues its way to the page invoked by the request. If the cookie is not present, it is invalid or it expired; then the request is delegated to an authenticator handler. The authenticator handler then is responsible for requesting/validating the user-agent for the user credentials. This may require one or more additional interactions between the authenticator handler and the user-agent (which will be multiple HTTP requests). Once the authenticator handler verifies the credentials and generates an authentication token, a signed cookie is returned to the user-agent for all subsequent invocations.
> The authenticator handler is pluggable and 2 implementations are provided out of the box: pseudo/simple and kerberos.
> 1. The pseudo/simple authenticator handler is equivalent to the Hadoop pseudo/simple authentication. It trusts the value of the user.name query string parameter. The pseudo/simple authenticator handler supports an anonymous mode which accepts any request without requiring the user.name query string parameter to create the token. This is the default behavior, preserving the behavior of the HBase web consoles before this patch.
> 2. The kerberos authenticator handler implements the Kerberos HTTP SPNEGO implementation. This authenticator handler will generate a token only if a successful Kerberos HTTP SPNEGO interaction is performed between the user-agent and the authenticator. Browsers like Firefox and Internet Explorer support Kerberos HTTP SPNEGO.
> We can build on the support added to Hadoop via HADOOP-7119. Should just be a matter of wiring up the filter to our infoservers in a similar manner. 
> And from https://issues.apache.org/jira/browse/HBASE-5050?focusedCommentId=13171086&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13171086
> {quote}
> Hadoop 0.23 onwards has a hadoop-auth artifact that provides SPNEGO/Kerberos authentication for webapps via a filter. You should consider using it. You don't have to move Hbase to 0.23 for that, just consume the hadoop-auth artifact, which has no dependencies on the rest of Hadoop 0.23 artifacts.
> {quote}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)