hbase-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tony Dean <Tony.D...@sas.com>
Subject RE: hbase multi-user security
Date Wed, 11 Jul 2012 18:51:51 GMT
Yes, I saw that.  But one you have a User how do you get the SecureClient connection to use
it?  It seems to just call User.getCurrent().  And its static so there can only be 1.

Please help me to understand if I am missing something or if hbase is lacking support for
this usage.

Thanks.

-----Original Message-----
From: Ted Yu [mailto:yuzhihong@gmail.com] 
Sent: Wednesday, July 11, 2012 1:49 PM
To: user@hbase.apache.org
Subject: Re: hbase multi-user security

Have you seen the following method in User.java ?

  public static User create(UserGroupInformation ugi) {
    if (ugi == null) {
      return null;
    }
    return new SecureHadoopUser(ugi);
  }

It wraps an underlying UserGroupInformation instance.

Cheers

On Wed, Jul 11, 2012 at 10:41 AM, Tony Dean <Tony.Dean@sas.com> wrote:

> Hi,
>
> Looking into hbase security, it appears that when HBaseRPC is creating 
> a proxy (e.g., SecureRpcEngine), it injects the current user:
> User.getCurrent() which by default is the cached Kerberos TGT 
> (kinit'ed user - using the "hadoop-user-kerberos" JAAS context).
>
> Since the server proxy always uses User.getCurrent(), how can an 
> application inject the user it wants to use for authorization checks 
> on the peer (region server)?
>
> And since SecureHadoopUser is a static class, how can you have more 
> than 1 active user in the same application?
>
> What you have works for a single user application like the hbase 
> shell, but what about a multi-user application?
>
> Am I missing something?
>
> Thanks!
> Tony Dean
> SAS Institute Inc.
> Senior Software Developer
> 919-531-6704
>
>
>
>
>
>


Mime
View raw message