You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hbase.apache.org by "Gary Helmling (JIRA)" <ji...@apache.org> on 2011/07/14 20:08:01 UTC
[jira] [Created] (HBASE-4100) Authentication for REST clients
Authentication for REST clients
-------------------------------
Key: HBASE-4100
URL: https://issues.apache.org/jira/browse/HBASE-4100
Project: HBase
Issue Type: Sub-task
Components: security
Reporter: Gary Helmling
Like Thrift, the REST gateway is not currently integrated into the authentication used for HBase RPC. Currently this means the REST gateway cannot even be used when HBase security is active.
For the REST gateway to be able to interoperate with HBase security:
# the REST server needs to be able to login from a keytab on startup with its own server principal
# REST clients need to be able to authenticate security with the REST server
# the REST server needs to be able to act as a trusted proxy for the original client identities, so that the HBase authorization checks can be performed against the original client request
Like Thrift, implementing step #1 as a bare minimum would at least allow deploying a REST server configured to login as the application user on startup. Even without authenticating REST clients, this would allow the gateway to work when HBase security is active.
For step #2, we can make use of SPNEGO to provide Kerberos/GSSAPI authentication of clients over HTTP. The Alfredo library from Cloudera would hopefully make this relatively easy to do:
http://cloudera.github.com/alfredo/docs/latest/index.html
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-4100) Authentication for REST clients
Posted by "Lars Hofhansl (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-4100?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13443531#comment-13443531 ]
Lars Hofhansl commented on HBASE-4100:
--------------------------------------
What's the status. Can this still be committed?
> Authentication for REST clients
> -------------------------------
>
> Key: HBASE-4100
> URL: https://issues.apache.org/jira/browse/HBASE-4100
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Reporter: Gary Helmling
> Attachments: HBASE-4100.patch
>
>
> Like Thrift, the REST gateway is not currently integrated into the authentication used for HBase RPC. Currently this means the REST gateway cannot even be used when HBase security is active.
> For the REST gateway to be able to interoperate with HBase security:
> # the REST server needs to be able to login from a keytab on startup with its own server principal
> # REST clients need to be able to authenticate security with the REST server
> # the REST server needs to be able to act as a trusted proxy for the original client identities, so that the HBase authorization checks can be performed against the original client request
> Like Thrift, implementing step #1 as a bare minimum would at least allow deploying a REST server configured to login as the application user on startup. Even without authenticating REST clients, this would allow the gateway to work when HBase security is active.
> For step #2, we can make use of SPNEGO to provide Kerberos/GSSAPI authentication of clients over HTTP. The Alfredo library from Cloudera would hopefully make this relatively easy to do:
> http://cloudera.github.com/alfredo/docs/latest/index.html
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-4100) Authentication for REST clients
Posted by "Andrew Purtell (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-4100?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13112167#comment-13112167 ]
Andrew Purtell commented on HBASE-4100:
---------------------------------------
+1
> Authentication for REST clients
> -------------------------------
>
> Key: HBASE-4100
> URL: https://issues.apache.org/jira/browse/HBASE-4100
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Reporter: Gary Helmling
> Attachments: HBASE-4100.patch
>
>
> Like Thrift, the REST gateway is not currently integrated into the authentication used for HBase RPC. Currently this means the REST gateway cannot even be used when HBase security is active.
> For the REST gateway to be able to interoperate with HBase security:
> # the REST server needs to be able to login from a keytab on startup with its own server principal
> # REST clients need to be able to authenticate security with the REST server
> # the REST server needs to be able to act as a trusted proxy for the original client identities, so that the HBase authorization checks can be performed against the original client request
> Like Thrift, implementing step #1 as a bare minimum would at least allow deploying a REST server configured to login as the application user on startup. Even without authenticating REST clients, this would allow the gateway to work when HBase security is active.
> For step #2, we can make use of SPNEGO to provide Kerberos/GSSAPI authentication of clients over HTTP. The Alfredo library from Cloudera would hopefully make this relatively easy to do:
> http://cloudera.github.com/alfredo/docs/latest/index.html
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (HBASE-4100) Authentication for REST clients
Posted by "Gary Helmling (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-4100?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Gary Helmling resolved HBASE-4100.
----------------------------------
Resolution: Duplicate
Assignee: stack
Change was applied as part of HBASE-5062 by stack.
> Authentication for REST clients
> -------------------------------
>
> Key: HBASE-4100
> URL: https://issues.apache.org/jira/browse/HBASE-4100
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Reporter: Gary Helmling
> Assignee: stack
> Attachments: HBASE-4100.patch
>
>
> Like Thrift, the REST gateway is not currently integrated into the authentication used for HBase RPC. Currently this means the REST gateway cannot even be used when HBase security is active.
> For the REST gateway to be able to interoperate with HBase security:
> # the REST server needs to be able to login from a keytab on startup with its own server principal
> # REST clients need to be able to authenticate security with the REST server
> # the REST server needs to be able to act as a trusted proxy for the original client identities, so that the HBase authorization checks can be performed against the original client request
> Like Thrift, implementing step #1 as a bare minimum would at least allow deploying a REST server configured to login as the application user on startup. Even without authenticating REST clients, this would allow the gateway to work when HBase security is active.
> For step #2, we can make use of SPNEGO to provide Kerberos/GSSAPI authentication of clients over HTTP. The Alfredo library from Cloudera would hopefully make this relatively easy to do:
> http://cloudera.github.com/alfredo/docs/latest/index.html
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-4100) Authentication for REST clients
Posted by "Gary Helmling (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-4100?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Gary Helmling updated HBASE-4100:
---------------------------------
Attachment: HBASE-4100.patch
This patch implements step #1 for the REST server, allowing it to login from a keytab file on startup. The patch depends on a new method in the Strings class added in HBASE-4099.
Like the HBASE-4099 patch, this change is necessary for a REST server to work correctly with the SecureRpcEngine from HBASE-2742, when using Kerberos authentication.
> Authentication for REST clients
> -------------------------------
>
> Key: HBASE-4100
> URL: https://issues.apache.org/jira/browse/HBASE-4100
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Reporter: Gary Helmling
> Attachments: HBASE-4100.patch
>
>
> Like Thrift, the REST gateway is not currently integrated into the authentication used for HBase RPC. Currently this means the REST gateway cannot even be used when HBase security is active.
> For the REST gateway to be able to interoperate with HBase security:
> # the REST server needs to be able to login from a keytab on startup with its own server principal
> # REST clients need to be able to authenticate security with the REST server
> # the REST server needs to be able to act as a trusted proxy for the original client identities, so that the HBase authorization checks can be performed against the original client request
> Like Thrift, implementing step #1 as a bare minimum would at least allow deploying a REST server configured to login as the application user on startup. Even without authenticating REST clients, this would allow the gateway to work when HBase security is active.
> For step #2, we can make use of SPNEGO to provide Kerberos/GSSAPI authentication of clients over HTTP. The Alfredo library from Cloudera would hopefully make this relatively easy to do:
> http://cloudera.github.com/alfredo/docs/latest/index.html
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira