Return-Path: X-Original-To: apmail-hbase-user-archive@www.apache.org Delivered-To: apmail-hbase-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id BC58DDC84 for ; Mon, 20 May 2013 08:10:31 +0000 (UTC) Received: (qmail 75585 invoked by uid 500); 20 May 2013 08:10:30 -0000 Delivered-To: apmail-hbase-user-archive@hbase.apache.org Received: (qmail 75326 invoked by uid 500); 20 May 2013 08:10:29 -0000 Mailing-List: contact user-help@hbase.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@hbase.apache.org Delivered-To: mailing list user@hbase.apache.org Received: (qmail 75259 invoked by uid 99); 20 May 2013 08:10:27 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 20 May 2013 08:10:27 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of asaf.mesika@gmail.com designates 209.85.214.174 as permitted sender) Received: from [209.85.214.174] (HELO mail-ob0-f174.google.com) (209.85.214.174) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 20 May 2013 08:10:05 +0000 Received: by mail-ob0-f174.google.com with SMTP id un3so6735422obb.5 for ; Mon, 20 May 2013 01:09:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:content-type; bh=mnWXZVv+uhJlrm4hNosscPa/hITZXl7akkR7w6bgfJY=; b=Jikya+7jXj+Y1fRkQ2YO42x0S9LY7Sevg28gY4Bt6qMKer/dfOerJldKeaE5cauDxn qyE+ZuZ5ZaP/PucT1OHcYHkEqq0eF3bEsPymaMy6FcD6aLGmoMr2IonV+G8NKLKnVkLX 0XMU1JQ+rjY2lRCXPqs1WYfi34leA6TuXHYVQwrN3iTkBKJgejBl2xlbQw5Kw+nr6lyI dxwTTKT5SMCHGjdJBwmlJHWXPVjG3LNMNWgQkgDYsnAuLyy0CImFoxwvrglaEklZ0tCO Y4xUVSeAJxZwwt/NOIV2UwQObE1RcCuIB0Zk2EHjn+uEE0ze4X/BbxvPhQ8nCw2g8ojs KPsQ== MIME-Version: 1.0 X-Received: by 10.60.133.240 with SMTP id pf16mr23055081oeb.28.1369037385058; Mon, 20 May 2013 01:09:45 -0700 (PDT) Received: by 10.60.50.40 with HTTP; Mon, 20 May 2013 01:09:44 -0700 (PDT) In-Reply-To: References: Date: Mon, 20 May 2013 11:09:44 +0300 Message-ID: Subject: Re: Secure HBase upon Replication From: Asaf Mesika To: "user@hbase.apache.org" Content-Type: multipart/alternative; boundary=047d7b471d9c05505904dd21db85 X-Virus-Checked: Checked by ClamAV on apache.org --047d7b471d9c05505904dd21db85 Content-Type: text/plain; charset=UTF-8 Just pinging the question, in case anyone missed it... (No answers were found in the resources I've searched for, so before diving into the code...) Thanks! On Fri, May 10, 2013 at 12:50 AM, Asaf Mesika wrote: > Thank you for the detailed answer. > Regarding my 1st question - RPC for replication between master and slave > region servers is secured the same as RPC between region servers in the > same clusters? Is there a mechanism for exchanging keys between the master > and slave clusters? > > > On Thursday, May 9, 2013, Andrew Purtell wrote: > >> There is no separate branch for security features, they are integrated in >> 0.92 and 0.94. We did partition the security sources into a separate Maven >> module for 0.92 and 0.94, out of an abundance of caution during >> development >> of security features. (Some versions of Hadoop, e.g. 0.20, don't have the >> necessary APIs, so compiling HBase against such old versions will fail if >> security sources are included in the build.) That forces the production of >> those -security artifacts because of Maven being Maven. A -security >> artifact contains all of 0.94 plus: >> - A secure RPC engine, for integrating with Hadoop security / Kerberos >> - The AccessController coprocessor >> - The TokenProvider coprocessor >> >> From 0.95 and forward there won't be separate security artifacts. >> >> >> On Thu, May 9, 2013 at 5:36 PM, Asaf Mesika >> wrote: >> >> > On Thu, May 9, 2013 at 11:43 AM, ramkrishna vasudevan < >> > ramkrishna.s.vasudevan@gmail.com> wrote: >> > >> > > >>Does enabling security in HBase entails using the latest hbase >> security >> > > >>branch? >> > > Which branch are you using? Once you enable security the security >> > feature >> > > on that branch starts working. >> > > >> > If security is a feature, why HBase are releasing two version each time. >> > For instance 0.94.7 and 0.94.7-security? >> > >> > >> > > >>3. Suppose the only requirement I have is securing the RPC in >> between >> > > >>Master and Slave sites, do I must have Secure HDFS and secure >> > ZooKeeper? >> > > Security if enabled will apply to HDFS and Zookeeper also. I don't >> think >> > > you can only enable for HBase alone. >> > > >> > Thus I need to have special versions of HDFS and ZooKeeper as well, or >> > security is already baked in as a feature in Hadoop 1.0.4 (for example) >> ? >> > >> > > >> > > >>1. Does HBase supports secure RPC between Master and Slave >> > replications? >> > > Sorry am not sure on this. >> > > >> > > Regards >> > > Ram >> > > >> > > >> > > On Thu, May 9, 2013 at 2:04 PM, Asaf Mesika >> > wrote: >> > > >> > > > Hi, >> > > > >> > > > I know that HBase supports secure RPC between its nodes (Master, >> Region >> > > > Server). I have couple of questions about it: >> > > > >> > > > 1. Does HBase supports secure RPC between Master and Slave >> > replications? >> > > > 2. Does enabling security in HBase entails using the latest hbase >> > > security >> > > > branch? >> > > > 3. Suppose the only requirement I have is securing the RPC in >> between >> > > > Master and Slave sites, do I must have Secure HDFS and secure >> > ZooKeeper? >> > > > >> > > > Thank you, >> > > > >> > > > Asaf >> > > > >> > > >> > >> >> >> >> -- >> Best regards, >> >> - Andy >> >> Problems worthy of attack prove their worth by hitting back. - Piet Hein >> (via Tom White) >> > --047d7b471d9c05505904dd21db85--