hbase-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tony Dean <Tony.D...@sas.com>
Subject RE: hbase multi-user security
Date Thu, 12 Jul 2012 19:44:45 GMT
Thanks Andy for the reply.

I understand your normal use case...

If we are hosting we could create separate Web apps per client so that authentication occurs
for each client back to the same hbase/hadoop cluster... therefore, each client would see
only the data that they are supposed to see.

In looking at UGI, I see createProxyUser(...).  Could that be useful?  It returns a UGI object.
 But, I'm wondering how that proxy user can be injected into the RPC connection when making
requests.

Thanks again.

-----Original Message-----
From: Andrew Purtell [mailto:apurtell@apache.org] 
Sent: Wednesday, July 11, 2012 3:11 PM
To: user@hbase.apache.org
Subject: Re: hbase multi-user security

On Wed, Jul 11, 2012 at 11:51 AM, Tony Dean <Tony.Dean@sas.com> wrote:
> Yes, I saw that.  But one you have a User how do you get the SecureClient connection
to use it?  It seems to just call User.getCurrent().  And its static so there can only be
1.

I think Hadoop's UserGroupInformation is the same, static.

We didn't consider a use case where a client application would have more than one credential.
For how Hadoop security was used up to that point, that wasn't common (or done at all?).

A pretty easy change would be to make User.getCurrent() look up a thread local variable. Then
we could change the principal on a per thread basis in a multithreaded/multiuser application.
Use of the thread local has a unconditional performance cost though.

Best regards,

   - Andy

Problems worthy of attack prove their worth by hitting back. - Piet Hein (via Tom White)



Mime
View raw message