You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@hbase.apache.org by 陈叶超 <ch...@gmail.com> on 2020/05/07 06:48:35 UTC
Re: How to use Pluggable RPC authentication
thanks for reply
seems we can't custom a authentication plugin with code compatibility
Wellington Chevreuil <we...@gmail.com> 于2020年4月27日周一
下午5:10写道:
> >
> > how to use or config the custom authentication ?
> >
> Assuming your authentication solution implements properly the key
> interfaces *SaslServerAuthenticationProvider*,
> *SaslClientAuthenticationProvider* and *BuiltInProviderSelector*, you need
> to specify each of these implementations on the
> *hbase.client.sasl.provider.class*, *hbase.client.sasl.provider.extras* and
> *hbase.server.sasl.provider.extras* you had mentioned. These must be set on
> both client and server side, so your custom classes must be present on both
> client and server classpaths.
>
> I check the test code ,why we need setUp kerberos first?
> >
> Hbase security here means an authentication system is set. Right now, hbase
> only supports kerberos as an authentication mechanism. So the RPC
> sub-system would only apply any of its authentication checks if security is
> enabled, and by that we mean *hbase.security.authentication *is set to
> *kerberos.*
>
>
> > if i add a extras but the client use simple
> >
> > the auth can be by pass
> >
> This would only happen if you had explicitly set
> *hbase.ipc.server.fallback-to-simple-auth-allowed* property to *true* on
> the server configuration.
>
> what i missed?
> >
> Can you share both your client and server configs? Do you see any
> suggestive messages on client/server logs (TRACE level might be helpful
> here)? Would it be feasible for you to share your implementations of
> *SaslServerAuthenticationProvider*, *SaslClientAuthenticationProvider*
> and *BuiltInProviderSelector
> *(I understand this might not be desirable, maybe just some snippets of
> specific method implementation here)? For instance, both Server and Client
> provider implementations should return the very same type in getTokenKind()
> method implementation.
>
> Em seg., 27 de abr. de 2020 às 05:59, 陈叶超 <ch...@gmail.com> escreveu:
>
> > Hi all:
> >
> > in https://issues.apache.org/jira/browse/HBASE-23347 introduce a
> puuggable
> > rpc authentication
> >
> > https://github.com/apache/hbase/pull/884
> >
> > I want to use this pr to create a custom auth
> >
> > how to use or config the custom authentication ?
> >
> > I check the test code ,why we need setUp kerberos first?
> >
> > and seems server offer three simple/gss/ Digest and extras auth*
> >
> > if i add a extras but the client use simple
> >
> > the auth can be by pass
> >
> > now i just set three properties :
> >
> > hbase.client.sasl.provider.class
> >
> > hbase.client.sasl.provider.extras
> >
> > hbase.server.sasl.provider.extras
> >
> > what i missed?
> >
> > I check the code
> >
> > in ServerRpcConnection.java
> >
> >
> > ```java
> > //from me: if client pass the simple authbyte? we just use simple???
> > this.provider = this.saslProviders.selectProvider(authbyte);
> > if (this.provider == null) {
> > String msg = getFatalConnectionString(version, authbyte);
> > doBadPreambleHandling(msg, new BadAuthException(msg));
> > return false;
> > }
> > //from me : don't understand here
> > // TODO this is a wart while simple auth'n doesn't go through sasl.
> > if (this.rpcServer.isSecurityEnabled && isSimpleAuthentication()) {
> > if (this.rpcServer.allowFallbackToSimpleAuth) {
> > this.rpcServer.metrics.authenticationFallback();
> > authenticatedWithFallback = true;
> > } else {
> > AccessDeniedException ae = new
> > AccessDeniedException("Authentication is required");
> > doRespond(getErrorResponse(ae.getMessage(), ae));
> > return false;
> > }
> > }
> > //from me : don't understand here ?
> > if (!this.rpcServer.isSecurityEnabled && !isSimpleAuthentication())
> {
> > doRawSaslReply(SaslStatus.SUCCESS, new
> > IntWritable(SaslUtil.SWITCH_TO_SIMPLE_AUTH), null,
> > null);
> > provider = saslProviders.getSimpleProvider();
> > // client has already sent the initial Sasl message and we
> > // should ignore it. Both client and server should fall back
> > // to simple auth from now on.
> > skipInitialSaslHandshake = true;
> > }
> > useSasl = true;
> >
> > ```
> >
>