You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hbase.apache.org by "Andrew Kyle Purtell (Jira)" <ji...@apache.org> on 2022/06/12 19:51:00 UTC

[jira] [Resolved] (HBASE-4817) Simplify configuration of security components

     [ https://issues.apache.org/jira/browse/HBASE-4817?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Andrew Kyle Purtell resolved HBASE-4817.
----------------------------------------
    Resolution: Won't Fix

> Simplify configuration of security components
> ---------------------------------------------
>
>                 Key: HBASE-4817
>                 URL: https://issues.apache.org/jira/browse/HBASE-4817
>             Project: HBase
>          Issue Type: Improvement
>          Components: security
>            Reporter: Gary Helmling
>            Priority: Major
>
> The HBase security features were built to be optionally loadable, when desired, and it shows through in the complexity of configuring security for operation.
> In addition to the baseline configuration required for process keytab files and server principals, the following properties need to be set to enable security:
> {code}
> <property>
>  <name>hbase.security.authentication</name>
>  <value>kerberos</value>
> </property>
> <property>
>  <name>hbase.coprocessor.master.classes</name>
>  <value>org.apache.hadoop.hbase.security.access.AccessController</value>
> </property>
> <property>
>  <name>hbase.coprocessor.region.classes</name>
>  <value>org.apache.hadoop.hbase.security.access.AccessController,org.apache.hadoop.hbase.security.token.TokenProvider</value>
> </property>
> <property>
>  <name>hbase.rpc.engine</name>
>  <value>org.apache.hadoop.hbase.ipc.SecureRpcEngine</value>
> </property>
> <property>
>  <name>hbase.zookeeper.property.authProvider.1</name>
>  <value>org.apache.zookeeper.server.auth.SASLAuthenticationProvider</value>
> </property>
> {code}
> We should be able to simplify this and automatically setup the underlying code components (required coprocessors, SecureRpcEngine) when some high level security flags are set.
> For authentication and authorization, I'd like narrow it down to two simple configuration properties.  When set, these would trigger automatic configuration of the required coprocessors/RpcEngine:
> * {{hbase.security.authentication}} - when set to {{kerberos}}, this would automatically:
> ** set {{hbase.rpc.engine=org.apache.hadoop.hbase.ipc.SecureRpcEngine}}
> ** add {{org.apache.hadoop.hbase.security.token.TokenProvider}} to the configuration for {{hbase.coprocessor.region.classes}}
> ** possibly also set {{hbase.zookeeper.property.authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider}} for zookeeper?
> * {{hbase.security.authorization}} - when set to {{true}}, this would automatically:
> ** add {{org.apache.hadoop.hbase.security.access.AccessController}} to the configuration for both {{hbase.coprocessor.master.classes}} and {{hbase.coprocessor.region.classes}}



--
This message was sent by Atlassian Jira
(v8.20.7#820007)