hbase-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Billy Watson <williamrwat...@gmail.com>
Subject Re: Using KnoxSSO Proxy for Hbase Web UIs
Date Wed, 12 Aug 2020 20:46:37 GMT
So if I'm understanding correctly, I've done something very similar to this
before. You can setup a cross-domain trust at the server level. Then for
your clients, you can specify the krb5 at bootup of java/kinit either
through an environment variable or something like this:

Then these two things WOULD allow you to use something like spnego and that
might solve your problems.

To answer your question more directly, without SPNEGO, I don't see anything
like that in the HBase configs but I'm maybe missing something. You're
thinking about it backwards from how I usually think about it, which is

But if you flip it, there's an easier way, assuming you are cool running a
knox gateway: use the knox gateway to sit in front of the HBase UI and
block access except through the knox servers. There's a tutorial that MIGHT
work here
although it's roughly similar to setting up any other knox gateway proxy.

William Watson

On Wed, Aug 12, 2020 at 10:50 AM <jw4306295@gmail.com> wrote:

> Hello!
> I'm trying to prevent anonymous access to the Hbase Master and Regionserver
> standard web UIs (the ones running on ports 16010/16030). I'm not able to
> use SPNEGO protection on the web interfaces as the workstations my team
> would be coming in from are Windows 10 workstations on a different domain
> (that we don't have the rights to install software on).
> Is it possible to configure the Hbase web UIs to utilize Knox's KnoxSSO
> proxy? Something analogous to this configuration setting in Hadoop's
> core-site.xml:
> <property>
> <name>hadoop.http.authentication.authentication.provider.url</name>
> <value>https://
> <https://%3cknoxGWserver%3e:8443/gateway/knoxsso/api/v1/websso%3c/value>
> <knoxGWserver>:8443/gateway/knoxsso/api/v1/websso</value>
> </property>
> If not, are there any other options available other than disabling the web
> interfaces entirely?
> Thanks!

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message