You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hbase.apache.org by "Andrew Kyle Purtell (Jira)" <ji...@apache.org> on 2022/06/12 19:51:00 UTC
[jira] [Resolved] (HBASE-4817) Simplify configuration of security components
[ https://issues.apache.org/jira/browse/HBASE-4817?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andrew Kyle Purtell resolved HBASE-4817.
----------------------------------------
Resolution: Won't Fix
> Simplify configuration of security components
> ---------------------------------------------
>
> Key: HBASE-4817
> URL: https://issues.apache.org/jira/browse/HBASE-4817
> Project: HBase
> Issue Type: Improvement
> Components: security
> Reporter: Gary Helmling
> Priority: Major
>
> The HBase security features were built to be optionally loadable, when desired, and it shows through in the complexity of configuring security for operation.
> In addition to the baseline configuration required for process keytab files and server principals, the following properties need to be set to enable security:
> {code}
> <property>
> <name>hbase.security.authentication</name>
> <value>kerberos</value>
> </property>
> <property>
> <name>hbase.coprocessor.master.classes</name>
> <value>org.apache.hadoop.hbase.security.access.AccessController</value>
> </property>
> <property>
> <name>hbase.coprocessor.region.classes</name>
> <value>org.apache.hadoop.hbase.security.access.AccessController,org.apache.hadoop.hbase.security.token.TokenProvider</value>
> </property>
> <property>
> <name>hbase.rpc.engine</name>
> <value>org.apache.hadoop.hbase.ipc.SecureRpcEngine</value>
> </property>
> <property>
> <name>hbase.zookeeper.property.authProvider.1</name>
> <value>org.apache.zookeeper.server.auth.SASLAuthenticationProvider</value>
> </property>
> {code}
> We should be able to simplify this and automatically setup the underlying code components (required coprocessors, SecureRpcEngine) when some high level security flags are set.
> For authentication and authorization, I'd like narrow it down to two simple configuration properties. When set, these would trigger automatic configuration of the required coprocessors/RpcEngine:
> * {{hbase.security.authentication}} - when set to {{kerberos}}, this would automatically:
> ** set {{hbase.rpc.engine=org.apache.hadoop.hbase.ipc.SecureRpcEngine}}
> ** add {{org.apache.hadoop.hbase.security.token.TokenProvider}} to the configuration for {{hbase.coprocessor.region.classes}}
> ** possibly also set {{hbase.zookeeper.property.authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider}} for zookeeper?
> * {{hbase.security.authorization}} - when set to {{true}}, this would automatically:
> ** add {{org.apache.hadoop.hbase.security.access.AccessController}} to the configuration for both {{hbase.coprocessor.master.classes}} and {{hbase.coprocessor.region.classes}}
--
This message was sent by Atlassian Jira
(v8.20.7#820007)