Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 5459C200C15 for ; Wed, 8 Feb 2017 21:18:31 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 53139160B67; Wed, 8 Feb 2017 20:18:31 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 73920160B49 for ; Wed, 8 Feb 2017 21:18:30 +0100 (CET) Received: (qmail 60645 invoked by uid 500); 8 Feb 2017 20:18:29 -0000 Mailing-List: contact user-help@impala.incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@impala.incubator.apache.org Delivered-To: mailing list user@impala.incubator.apache.org Received: (qmail 60635 invoked by uid 99); 8 Feb 2017 20:18:29 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 08 Feb 2017 20:18:29 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 3A1971A005A for ; Wed, 8 Feb 2017 20:18:29 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 0.379 X-Spam-Level: X-Spam-Status: No, score=0.379 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd2-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id 1i8Cl0U3PiCG for ; Wed, 8 Feb 2017 20:18:28 +0000 (UTC) Received: from mail-yw0-f170.google.com (mail-yw0-f170.google.com [209.85.161.170]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 666B75F613 for ; Wed, 8 Feb 2017 20:18:27 +0000 (UTC) Received: by mail-yw0-f170.google.com with SMTP id v200so93017233ywc.3 for ; Wed, 08 Feb 2017 12:18:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=HiQzolz2VDGHEGy0a1mTHhqEySzuU7wY8n7yZvRR7k0=; b=d7GmXS14VEbXh4o06M9Y4Au7jluPumJIuSfstN0F5jvKDCx6zKZgaX46yh6P7jPobm isaU2NYk954OqxZEDjZsb5mOHLiCO0Gr940LYx9Im31DtTppQjlh8fTViBT5N89DC5HV AxiIbYn11qfzMjsVyH9Xq5oPe/Utycffqapwg01fXtv2sXBzPoTVjebfTGN6/s4op7yt xQiLmitR+BTKHrKK3+JlXmWigdquQCmh8hHSCkDs4vbxjlw4DzFmFur95BBtOYeBZ8GQ WKSPIBOtsygEciYGBpU5LXB6Q5MzIptr0RttnribfStuH0qZK/cKy2CalpoCoDpkCk+o Z+6w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=HiQzolz2VDGHEGy0a1mTHhqEySzuU7wY8n7yZvRR7k0=; b=QGbtMRVLOIjpGK6MlYCyHJSXsvQf4NdvJCY8vZ0u0NuEb64CXgLT3qSkQzDqOFS/9i UuM6yX2Cp6c8hzMSCNHNs7kqTM5EjvkyprdvWI/kzSQamtnXqIwEXq7fgFWihTOXO9A5 NprhOAdwnA/GnXaNPmjPHUrZQebK8O/xRteS6Xx2C742B1aj03JHsjOjR5djomWsLmkg ItIJnUj3VvwPRHfX+UnsNpOOS3pwrPL2ycaKHdkbRKaSjRgBtVDUtudxgF/Ru4+ebbPQ I8KUhtMsdtLMFXKrdw3/B8FP4qYKIVq13JVlkURsIbfZZnGiX/iUbRRpNf2hZGoahzs1 K3Dw== X-Gm-Message-State: AIkVDXJQ9Q+2V/79qnvHNWQhJMusesVDsiFRcVScBg30xzR6mqjH32uwMdoX8qe38/84LIVn7kwmhsX/pBwNlQ== X-Received: by 10.129.182.78 with SMTP id h14mr16036957ywk.314.1486585099767; Wed, 08 Feb 2017 12:18:19 -0800 (PST) MIME-Version: 1.0 Received: by 10.13.235.86 with HTTP; Wed, 8 Feb 2017 12:18:19 -0800 (PST) In-Reply-To: References: From: Jeszy Date: Wed, 8 Feb 2017 21:18:19 +0100 Message-ID: Subject: Re: Impala Hbase Security To: user@impala.incubator.apache.org Content-Type: text/plain; charset=UTF-8 archived-at: Wed, 08 Feb 2017 20:18:31 -0000 Hey Danny, As far as I know Sentry doesn't work with HBase out of the box (so not sure about Sentry's HBase model). If you use Sentry, Impala will validate against Sentry's privilege db (it's cached version in the catalog) before doing anything. That means that if Impala is the only interface to HBase, you can use Sentry to control access. Since this is not the case, I think assuming that the 'impala' user is allowed to access anything would work (since the effective user is cleared against Sentry previously), but you would have to manually sync HBase and Sentry privileges to cover other clients. This last part is what Sentry's HDFS sync takes care of in HDFS-backed tables. I am not a security guru by any means, so handle with care :) HTH On Wed, Feb 8, 2017 at 8:55 PM, Tim Armstrong wrote: > I believe that's correct - we don't have a special privilege model for > HBase. > > On Fri, Feb 3, 2017 at 7:20 PM, Danny Morgan wrote: >> >> Thanks Tim! >> >> >> I believe HDFS is a special case as libHdfs doesn't have a functional api >> for proxy user impersonation at the moment, and instead uses the UGI methods >> which just use the process uid or the cached principal. >> >> >> In the case of HBase there is a proxy impersonation api in HBase 1.0+ but >> even with the current implementation as far as I can tell Impala wouldn't be >> compatible with Sentry's HBase privilege model either. Is that correct? >> >> >> Thank you again. >> >> ________________________________ >> From: Tim Armstrong >> Sent: Friday, February 3, 2017 7:48:08 PM >> >> To: user@impala.incubator.apache.org >> Subject: Re: Impala Hbase Security >> >> I don't believe that we have anything planned. >> >> For what it's worth the situation with HDFS is similar - we generally >> assume that the Impala user is given broad enough permissions to access any >> HDFS files or directories that any Impala user needs access too. Then >> authorisation is done via Sentry to determine whether a given user has >> access to the particular tables and columns. This lets us do things like >> column-level security and also have different permissions on views and the >> underlying tables. >> >> On Fri, Feb 3, 2017 at 10:03 AM, Danny Morgan >> wrote: >>> >>> Thanks Tim, I was able to verify the kerberos support. Any chance you'll >>> add support for impersonation to HBase? I think right now everything runs as >>> the "impala" user. >>> >>> ________________________________ >>> From: Tim Armstrong >>> Sent: Thursday, February 2, 2017 9:14:47 PM >>> To: user@impala.incubator.apache.org >>> Subject: Re: Impala Hbase Security >>> >>> Hi Danny, >>> I believe that Impala should pick up your HBase security configuration >>> from hbase-site.xml. We don't support impersonation. >>> >>> - Tim >>> >>> On Thu, Feb 2, 2017 at 6:55 AM, Danny Morgan >>> wrote: >>>> >>>> Hi Everyone, any luck? >>>> >>>> ________________________________ >>>> From: Danny Morgan >>>> Sent: Friday, January 27, 2017 10:08:12 PM >>>> To: user@impala.incubator.apache.org >>>> Subject: Impala Hbase Security >>>> >>>> >>>> Does Impala support HBase security? Can Impala impersonation end users >>>> when >>>> access HBase? >>>> >>>> >>>> Does Impala work with Kerberized HBase? >>>> >>>> >>>> Thank You >>>> >>>> >>> >> >