You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hbase.apache.org by Kashif Jawed Siddiqui <ka...@huawei.com> on 2014/09/01 08:28:40 UTC
Re: Thrift client authentication skipped for HBase thrift server
Hi All,
As per current implementation done for https://issues.apache.org/jira/i#browse/HBASE-11349 && https://issues.apache.org/jira/i#browse/HBASE-11474 ,
The authentication mechanism using Kerberos principal for Thrift server with HBase is perfectly fine.
But for clients communicating to HBase via thrift server does not handle the security mechanism.
Any unauthenticated client can access HBase via thrift server. The thrift sever can act as a backdoor entry for skipping the security & authentication.
It will be better if thrift clients can also be authenticated through some mechanism like Kerberos or IP restriction,etc
Let us discuss on mechanism for thrift client authentication that can be implemented.
***************************************************************************************
This e-mail and attachments contain confidential information from HUAWEI, which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended recipient's) is prohibited. If you receive this e-mail in error, please notify the sender by phone or email immediately and delete it!
RE: Thrift client authentication skipped for HBase thrift server
Posted by Kashif Jawed Siddiqui <ka...@huawei.com>.
Hi Jimmy,
HBASE-11349/HBASE-11474 is to authenticate the connection from thrift server to HBase.
Here by the term thrift clients, I mean clients trying to access HBase via thrift server.
For example, clients in any unsecure machine will connect to thrift server port 9090 , and in turn thrift will connect to HBase.
Client ----->(unauthenticated connect via port 9090) Thrift -----> (Kerberos authenticated connection) HBase
As portrayed above, the Thrift will authenticate with HBase using Kerberos. But clients connecting to thrift server via 9090 do not get authentictaed
***************************************************************************************
This e-mail and attachments contain confidential information from HUAWEI, which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended recipient's) is prohibited. If you receive this e-mail in error, please notify the sender by phone or email immediately and delete it!
-----Original Message-----
From: Jimmy Xiang [mailto:jxiang@cloudera.com]
Sent: 03 September 2014 03:06
To: dev@hbase.apache.org
Subject: Re: Thrift client authentication skipped for HBase thrift server
>> Kashif,
>>
>> HBASE-11349/HBASE-11474 is indeed to authenticate Thrift clients using Kerberos. Is this what you are looking for?
>> For Thrift server authentication, it is already there. Please refer to the hbase book http://hbase.apache.org/book/security.html#hbase.secure.configuration
>> Section 8.1.4 for more details.
>> Thanks,
>> Jimmy
On Sun, Aug 31, 2014 at 11:28 PM, Kashif Jawed Siddiqui <kashifjs@huawei.com
> wrote:
> Hi All,
>
> As per current implementation done for
> https://issues.apache.org/jira/i#browse/HBASE-11349 &&
> https://issues.apache.org/jira/i#browse/HBASE-11474 ,
>
> The authentication mechanism using Kerberos principal for Thrift
> server with HBase is perfectly fine.
>
>
>
> But for clients communicating to HBase via thrift server does not
> handle the security mechanism.
>
> Any unauthenticated client can access HBase via thrift server. The
> thrift sever can act as a backdoor entry for skipping the security &
> authentication.
>
> It will be better if thrift clients can also be authenticated through
> some mechanism like Kerberos or IP restriction,etc
>
>
>
> Let us discuss on mechanism for thrift client authentication that can
> be implemented.
>
>
>
> **********************************************************************
> ***************** This e-mail and attachments contain confidential
> information from HUAWEI, which is intended only for the person or
> entity whose address is listed above. Any use of the information
> contained herein in any way (including, but not limited to, total or
> partial disclosure, reproduction, or
> dissemination) by persons other than the intended recipient's) is
> prohibited. If you receive this e-mail in error, please notify the
> sender by phone or email immediately and delete it!
>
>
Re: Thrift client authentication skipped for HBase thrift server
Posted by Jimmy Xiang <jx...@cloudera.com>.
Kashif,
HBASE-11349/HBASE-11474 is indeed to authenticate Thrift clients using
Kerberos. Is this what you are looking for?
For Thrift server authentication, it is already there. Please refer to the
hbase book
http://hbase.apache.org/book/security.html#hbase.secure.configuration
Section 8.1.4 for more details.
Thanks,
Jimmy
On Sun, Aug 31, 2014 at 11:28 PM, Kashif Jawed Siddiqui <kashifjs@huawei.com
> wrote:
> Hi All,
>
> As per current implementation done for
> https://issues.apache.org/jira/i#browse/HBASE-11349 &&
> https://issues.apache.org/jira/i#browse/HBASE-11474 ,
>
> The authentication mechanism using Kerberos principal for Thrift server
> with HBase is perfectly fine.
>
>
>
> But for clients communicating to HBase via thrift server does not handle
> the security mechanism.
>
> Any unauthenticated client can access HBase via thrift server. The thrift
> sever can act as a backdoor entry for skipping the security &
> authentication.
>
> It will be better if thrift clients can also be authenticated through some
> mechanism like Kerberos or IP restriction,etc
>
>
>
> Let us discuss on mechanism for thrift client authentication that can be
> implemented.
>
>
>
> ***************************************************************************************
> This e-mail and attachments contain confidential information from HUAWEI,
> which is intended only for the person or entity whose address is listed
> above. Any use of the information contained herein in any way (including,
> but not limited to, total or partial disclosure, reproduction, or
> dissemination) by persons other than the intended recipient's) is
> prohibited. If you receive this e-mail in error, please notify the sender
> by phone or email immediately and delete it!
>
>