hbase-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Devaraj Das <d...@hortonworks.com>
Subject Re: HBase Security API
Date Mon, 02 Jul 2012 18:12:11 GMT
IMO, the application that you are referring should be set up to impersonate other users (called
proxy-user authentication). 

Have a look at http://hadoop.apache.org/common/docs/r1.0.3/Secure_Impersonation.html. This
can be mapped to the HBase land..

I think the class org.apache.hadoop.hbase.security.User should provide an API to create proxy
users. 

On Jul 1, 2012, at 5:29 PM, Tony Dean wrote:

> Posting this again in plaintext to see if it registers successfully.
> 
> Hi,
> 
> It appears that the Kerberos authentication integration into HBase is via JAAS Krb5LoginModule.
 That is,
> I can setup up the "Client" application context and configure where/how the client Kerberos
principle is
> authenticated (TGT).  Correct?  If I have a multi-tenant application that performs scans/gets/puts
based
> on different users, what is the appropriate way to specify the Kerberos principle to
use on each thread?
> I was thinking that I could use a JAAS callbackHandler to specify the principle to use
and then configure
> the login module to query a keytab for the principal's password key.  Or do I have to
create a Subject and
> configure the login module to use the shared state?
> 
> What's an application's integration point into specifying what client Kerberos principal
to authenticate and use.
> 
> 
> Thank you!
> 
> 
> Tony Dean
> SAS Institute Inc.
> Senior Software Developer
> 919-531-6704
> 
> 
> 
> 


Mime
View raw message