hbase-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Billy Watson <williamrwat...@gmail.com>
Subject Re: Using KnoxSSO Proxy for Hbase Web UIs
Date Wed, 12 Aug 2020 20:46:37 GMT
So if I'm understanding correctly, I've done something very similar to this
before. You can setup a cross-domain trust at the server level. Then for
your clients, you can specify the krb5 at bootup of java/kinit either
through an environment variable or something like this:
https://stackoverflow.com/a/30710283

Then these two things WOULD allow you to use something like spnego and that
might solve your problems.

To answer your question more directly, without SPNEGO, I don't see anything
like that in the HBase configs but I'm maybe missing something. You're
thinking about it backwards from how I usually think about it, which is
fine.

But if you flip it, there's an easier way, assuming you are cool running a
knox gateway: use the knox gateway to sit in front of the HBase UI and
block access except through the knox servers. There's a tutorial that MIGHT
work here
https://community.cloudera.com/t5/Community-Articles/Configure-Knox-to-access-HBASE-UI/ta-p/249399
although it's roughly similar to setting up any other knox gateway proxy.


William Watson



On Wed, Aug 12, 2020 at 10:50 AM <jw4306295@gmail.com> wrote:

> Hello!
>
>
>
> I'm trying to prevent anonymous access to the Hbase Master and Regionserver
> standard web UIs (the ones running on ports 16010/16030). I'm not able to
> use SPNEGO protection on the web interfaces as the workstations my team
> would be coming in from are Windows 10 workstations on a different domain
> (that we don't have the rights to install software on).
>
>
>
> Is it possible to configure the Hbase web UIs to utilize Knox's KnoxSSO
> proxy? Something analogous to this configuration setting in Hadoop's
> core-site.xml:
>
> <property>
>
> <name>hadoop.http.authentication.authentication.provider.url</name>
>
> <value>https://
> <https://%3cknoxGWserver%3e:8443/gateway/knoxsso/api/v1/websso%3c/value>
> <knoxGWserver>:8443/gateway/knoxsso/api/v1/websso</value>
>
> </property>
>
>
>
> If not, are there any other options available other than disabling the web
> interfaces entirely?
>
>
>
> Thanks!
>
>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message