impala-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Danny Morgan <unlucky...@hotmail.com>
Subject Re: Impala Hbase Security
Date Sat, 04 Feb 2017 03:20:49 GMT
Thanks Tim!


I believe HDFS is a special case as libHdfs doesn't have a functional api for proxy user impersonation
at the moment, and instead uses the UGI methods which just use the process uid or the cached
principal.


In the case of HBase there is a proxy impersonation api in HBase 1.0+ but even with the current
implementation as far as I can tell Impala wouldn't be compatible with Sentry's HBase privilege
model either. Is that correct?


Thank you again.

________________________________
From: Tim Armstrong <tarmstrong@cloudera.com>
Sent: Friday, February 3, 2017 7:48:08 PM
To: user@impala.incubator.apache.org
Subject: Re: Impala Hbase Security

I don't believe that we have anything planned.

For what it's worth the situation with HDFS is similar - we generally assume that the Impala
user is given broad enough permissions to access any HDFS files or directories that any Impala
user needs access too. Then authorisation is done via Sentry to determine whether a given
user has access to the particular tables and columns. This lets us do things like column-level
security and also have different permissions on views and the underlying tables.

On Fri, Feb 3, 2017 at 10:03 AM, Danny Morgan <unluckyboy@hotmail.com<mailto:unluckyboy@hotmail.com>>
wrote:

Thanks Tim, I was able to verify the kerberos support. Any chance you'll add support for impersonation
to HBase? I think right now everything runs as the "impala" user.

________________________________
From: Tim Armstrong <tarmstrong@cloudera.com<mailto:tarmstrong@cloudera.com>>
Sent: Thursday, February 2, 2017 9:14:47 PM
To: user@impala.incubator.apache.org<mailto:user@impala.incubator.apache.org>
Subject: Re: Impala Hbase Security

Hi Danny,
  I believe that Impala should pick up your HBase security configuration from hbase-site.xml.
We don't support impersonation.

- Tim

On Thu, Feb 2, 2017 at 6:55 AM, Danny Morgan <unluckyboy@hotmail.com<mailto:unluckyboy@hotmail.com>>
wrote:

Hi Everyone, any luck?

________________________________
From: Danny Morgan <unluckyboy@hotmail.com<mailto:unluckyboy@hotmail.com>>
Sent: Friday, January 27, 2017 10:08:12 PM
To: user@impala.incubator.apache.org<mailto:user@impala.incubator.apache.org>
Subject: Impala Hbase Security


Does Impala support HBase security? Can Impala impersonation end users when
 access HBase?


Does Impala work with Kerberized HBase?


Thank You




Mime
View raw message