impala-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeszy <jes...@gmail.com>
Subject Re: Impala Hbase Security
Date Wed, 08 Feb 2017 20:18:19 GMT
Hey Danny,

As far as I know Sentry doesn't work with HBase out of the box (so not
sure about Sentry's HBase model).

If you use Sentry, Impala will validate against Sentry's privilege db
(it's cached version in the catalog) before doing anything. That means
that if Impala is the only interface to HBase, you can use Sentry to
control access. Since this is not the case, I think assuming that the
'impala' user is allowed to access anything would work (since the
effective user is cleared against Sentry previously), but you would
have to manually sync HBase and Sentry privileges to cover other
clients.
This last part is what Sentry's HDFS sync takes care of in HDFS-backed
tables. I am not a security guru by any means, so handle with care :)

HTH

On Wed, Feb 8, 2017 at 8:55 PM, Tim Armstrong <tarmstrong@cloudera.com> wrote:
> I believe that's correct - we don't have a special privilege model for
> HBase.
>
> On Fri, Feb 3, 2017 at 7:20 PM, Danny Morgan <unluckyboy@hotmail.com> wrote:
>>
>> Thanks Tim!
>>
>>
>> I believe HDFS is a special case as libHdfs doesn't have a functional api
>> for proxy user impersonation at the moment, and instead uses the UGI methods
>> which just use the process uid or the cached principal.
>>
>>
>> In the case of HBase there is a proxy impersonation api in HBase 1.0+ but
>> even with the current implementation as far as I can tell Impala wouldn't be
>> compatible with Sentry's HBase privilege model either. Is that correct?
>>
>>
>> Thank you again.
>>
>> ________________________________
>> From: Tim Armstrong <tarmstrong@cloudera.com>
>> Sent: Friday, February 3, 2017 7:48:08 PM
>>
>> To: user@impala.incubator.apache.org
>> Subject: Re: Impala Hbase Security
>>
>> I don't believe that we have anything planned.
>>
>> For what it's worth the situation with HDFS is similar - we generally
>> assume that the Impala user is given broad enough permissions to access any
>> HDFS files or directories that any Impala user needs access too. Then
>> authorisation is done via Sentry to determine whether a given user has
>> access to the particular tables and columns. This lets us do things like
>> column-level security and also have different permissions on views and the
>> underlying tables.
>>
>> On Fri, Feb 3, 2017 at 10:03 AM, Danny Morgan <unluckyboy@hotmail.com>
>> wrote:
>>>
>>> Thanks Tim, I was able to verify the kerberos support. Any chance you'll
>>> add support for impersonation to HBase? I think right now everything runs as
>>> the "impala" user.
>>>
>>> ________________________________
>>> From: Tim Armstrong <tarmstrong@cloudera.com>
>>> Sent: Thursday, February 2, 2017 9:14:47 PM
>>> To: user@impala.incubator.apache.org
>>> Subject: Re: Impala Hbase Security
>>>
>>> Hi Danny,
>>>   I believe that Impala should pick up your HBase security configuration
>>> from hbase-site.xml. We don't support impersonation.
>>>
>>> - Tim
>>>
>>> On Thu, Feb 2, 2017 at 6:55 AM, Danny Morgan <unluckyboy@hotmail.com>
>>> wrote:
>>>>
>>>> Hi Everyone, any luck?
>>>>
>>>> ________________________________
>>>> From: Danny Morgan <unluckyboy@hotmail.com>
>>>> Sent: Friday, January 27, 2017 10:08:12 PM
>>>> To: user@impala.incubator.apache.org
>>>> Subject: Impala Hbase Security
>>>>
>>>>
>>>> Does Impala support HBase security? Can Impala impersonation end users
>>>> when
>>>>  access HBase?
>>>>
>>>>
>>>> Does Impala work with Kerberized HBase?
>>>>
>>>>
>>>> Thank You
>>>>
>>>>
>>>
>>
>

Mime
View raw message