hbase-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jerry He <jerry...@gmail.com>
Subject Re: REST Impersonation?
Date Mon, 10 Aug 2015 23:01:43 GMT
The basic concept and impersonation support is this:

Your HBase Rest gateway is running under a user id, say 'hbase'.
The incoming Rest client user id is 'user1'.

On the HBase server (master or region server), you want the authorization
(ACL) to be done on 'user1'.
You want the user id 'hbase' to be able to impersonate the user id 'user1'.

You would specify on your hbase-site.xml on the HBase servers (master and
region servers):

hadoop.proxyuser.hbase.groups = <the-group-of-user1 or groups or wildcard
like *)
hadoop.proxyuser.hbase.hosts = <the-host-where-your-rest-server-is or
wildcard like *)

It basically says 'I am allowing the user id hbase to impersonate anyone in
the specified groups from the specified hosts.

You can look at the master version of the Reference Guide.
I do think we need to do a better job explaining this.


On Mon, Aug 10, 2015 at 2:55 PM, Rose, Joseph <
Joseph.Rose@childrens.harvard.edu> wrote:

> Folks,
> I’d like to get REST gateway impersonation going on my cluster but I’m a
> little confused by the docs (section 55.8 of the reference guide for the
> version I’m using, 0.98.13.)
> As I understand it (please let me know if I’m on the wrong track), this
> will let me send user credentials in on the REST call that match, say, the
> users in my HBase instance. These users have visibility labels associated
> with them and I assume that the labels will function normally with the
> credentials on the REST call.
> In any case, the 0.98.13 docs say that I should set
> ‘hadoop.proxyuser.$USER.groups’ to ‘$GROUPS’; same thing for
> ‘hadoop.proxyuser.$USER.hosts’. What’s the variable substitution for $USER
> and $GROUPS? Do I need to create these before I can use impersonation?
> Obviously I’m somewhat confused. Thanks for your help.
> -j

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message