Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id CD9E6200C57 for ; Sat, 1 Apr 2017 00:20:51 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id CC1C7160B8C; Fri, 31 Mar 2017 22:20:51 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 1E6D5160B80 for ; Sat, 1 Apr 2017 00:20:50 +0200 (CEST) Received: (qmail 59282 invoked by uid 500); 31 Mar 2017 22:20:50 -0000 Mailing-List: contact issues-help@hbase.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list issues@hbase.apache.org Received: (qmail 59270 invoked by uid 99); 31 Mar 2017 22:20:50 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 31 Mar 2017 22:20:50 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id B4D84C1494 for ; Fri, 31 Mar 2017 22:20:49 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -99.202 X-Spam-Level: X-Spam-Status: No, score=-99.202 tagged_above=-999 required=6.31 tests=[KAM_ASCII_DIVIDERS=0.8, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id AREtdpQwUOWt for ; Fri, 31 Mar 2017 22:20:49 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id 8166C5FC73 for ; Fri, 31 Mar 2017 22:20:48 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id E6E2FE0526 for ; Fri, 31 Mar 2017 22:20:47 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 2F5EC21DD6 for ; Fri, 31 Mar 2017 22:20:47 +0000 (UTC) Date: Fri, 31 Mar 2017 22:20:47 +0000 (UTC) From: "Ted Yu (JIRA)" To: issues@hbase.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Comment Edited] (HBASE-17860) Implement secure native client connection MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Fri, 31 Mar 2017 22:20:52 -0000 [ https://issues.apache.org/jira/browse/HBASE-17860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15951593#comment-15951593 ] Ted Yu edited comment on HBASE-17860 at 3/31/17 10:19 PM: ---------------------------------------------------------- Here is brief procedure for testing: * install cyrus-sasl-2.1.26 on docker vm and export CYRUS_SASL_PLUGINS_DIR pointing to the directory where sasl library resides * follow this link to install kerberos packages: https://help.ubuntu.com/lts/serverguide/kerberos.html * follow this link to configure KDC: https://www.rootusers.com/how-to-configure-linux-to-authenticate-using-kerberos/ * generate hbase-host.keytab for server (and optionally hbase.keytab for user, if you don't want to type password) * run kinit with the keytab for user "hbase", or by providing password to kinit * apply the patch which sets necessary config in conf/hbase-site.xml * run bin/start-hbase.sh to start hbase server * use hbase shell to create table (test would populate the table with) {code} test1 column=d:1, timestamp=1490984371943, value=value1 test1 column=d:extra, timestamp=1490984371949, value=value for extra test2 column=d:2, timestamp=1490831145321, value=value2 test2 column=d:extra, timestamp=1490831219721, value=value for extra {code} * run the following command and verify that ClientTest.PutGet passes: buck test //core:client-test --no-results-cache was (Author: yuzhihong@gmail.com): Here is brief procedure for testing: * install cyrus-sasl-2.1.26 on docker vm and export CYRUS_SASL_PLUGINS_DIR pointing to the directory where sasl library resides * follow this link to install kerberos packages: https://help.ubuntu.com/lts/serverguide/kerberos.html * follow this link to configure KDC: https://www.rootusers.com/how-to-configure-linux-to-authenticate-using-kerberos/ * generate hbase-host.keytab for server (and optionally hbase.keytab for user, if you don't want to type password) * run kinit with the keytab for user "hbase", or by providing password to kinit * apply the patch which sets necessary config in conf/hbase-site.xml * run bin/start-hbase.sh to start hbase server * use hbase shell to create table (test would populate the table with:) {code} test1 column=d:1, timestamp=1490984371943, value=value1 test1 column=d:extra, timestamp=1490984371949, value=value for extra test2 column=d:2, timestamp=1490831145321, value=value2 test2 column=d:extra, timestamp=1490831219721, value=value for extra {code} * run the following command and verify that ClientTest.PutGet passes: buck test //core:client-test --no-results-cache > Implement secure native client connection > ----------------------------------------- > > Key: HBASE-17860 > URL: https://issues.apache.org/jira/browse/HBASE-17860 > Project: HBase > Issue Type: Sub-task > Reporter: Ted Yu > Assignee: Ted Yu > Priority: Critical > > So far, the native client communicates with insecure cluster. > This JIRA is to add secure connection support for native client using Cyrus library. > The work is based on earlier implementation and is redone via wangle and folly frameworks. > Thanks to [~devaraj] who started the initiative. > Here is high level description of the design: > * SaslHandler is declared as: > {code} > class SaslHandler > : public wangle::HandlerAdapter>{ > {code} > It would be inserted between EventBaseHandler and LengthFieldBasedFrameDecoder in the pipeline (via ConnectionFactory::Connect()) > * SaslHandler would intercept writes to server by buffering the IOBuf's and start the handshake process (via sasl_client_XX calls provided by Cyrus) > * after handshake is complete, SaslHandler would send the buffered IOBuf's to server and act as pass-thru from then on -- This message was sent by Atlassian JIRA (v6.3.15#6346)