You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@hbase.apache.org by Tony Dean <To...@sas.com> on 2012/07/02 02:29:45 UTC

HBase Security API

Posting this again in plaintext to see if it registers successfully.

Hi,

It appears that the Kerberos authentication integration into HBase is via JAAS Krb5LoginModule.  That is,
I can setup up the "Client" application context and configure where/how the client Kerberos principle is
authenticated (TGT).  Correct?  If I have a multi-tenant application that performs scans/gets/puts based
on different users, what is the appropriate way to specify the Kerberos principle to use on each thread?
I was thinking that I could use a JAAS callbackHandler to specify the principle to use and then configure
the login module to query a keytab for the principal's password key.  Or do I have to create a Subject and
configure the login module to use the shared state?

What's an application's integration point into specifying what client Kerberos principal to authenticate and use.


Thank you!


Tony Dean
SAS Institute Inc.
Senior Software Developer
919-531-6704

Re: HBase Security API

Posted by Devaraj Das <dd...@hortonworks.com>.

IMO, the application that you are referring should be set up to impersonate other users (called proxy-user authentication). 

Have a look at http://hadoop.apache.org/common/docs/r1.0.3/Secure_Impersonation.html. This can be mapped to the HBase land..

I think the class org.apache.hadoop.hbase.security.User should provide an API to create proxy users. 

On Jul 1, 2012, at 5:29 PM, Tony Dean wrote:

> Posting this again in plaintext to see if it registers successfully.
> 
> Hi,
> 
> It appears that the Kerberos authentication integration into HBase is via JAAS Krb5LoginModule.  That is,
> I can setup up the "Client" application context and configure where/how the client Kerberos principle is
> authenticated (TGT).  Correct?  If I have a multi-tenant application that performs scans/gets/puts based
> on different users, what is the appropriate way to specify the Kerberos principle to use on each thread?
> I was thinking that I could use a JAAS callbackHandler to specify the principle to use and then configure
> the login module to query a keytab for the principal's password key.  Or do I have to create a Subject and
> configure the login module to use the shared state?
> 
> What's an application's integration point into specifying what client Kerberos principal to authenticate and use.
> 
> 
> Thank you!
> 
> 
> Tony Dean
> SAS Institute Inc.
> Senior Software Developer
> 919-531-6704
> 
> 
> 
>

Re: HBase Security API

Posted by Andrew Purtell <ap...@apache.org>.

On Sun, Jul 1, 2012 at 5:29 PM, Tony Dean <To...@sas.com> wrote:
> It appears that the Kerberos authentication integration into HBase is via JAAS Krb5LoginModule.  That is,

This is a question for general@hadoop.apache.org I think. HBase
piggybacks on Hadoop's Kerberos integration. Hadoop uses its own
custom LoginModule, see
org.apache.hadoop.security.UserGroupInformation.

Best regards,

   - Andy

Problems worthy of attack prove their worth by hitting back. - Piet
Hein (via Tom White)