You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@hbase.apache.org by "Rose, Joseph" <Jo...@childrens.harvard.edu> on 2015/08/10 23:55:32 UTC

REST Impersonation?

Folks,

I’d like to get REST gateway impersonation going on my cluster but I’m a
little confused by the docs (section 55.8 of the reference guide for the
version I’m using, 0.98.13.)

As I understand it (please let me know if I’m on the wrong track), this
will let me send user credentials in on the REST call that match, say, the
users in my HBase instance. These users have visibility labels associated
with them and I assume that the labels will function normally with the
credentials on the REST call.

In any case, the 0.98.13 docs say that I should set
‘hadoop.proxyuser.$USER.groups’ to ‘$GROUPS’; same thing for
‘hadoop.proxyuser.$USER.hosts’. What’s the variable substitution for $USER
and $GROUPS? Do I need to create these before I can use impersonation?

Obviously I’m somewhat confused. Thanks for your help.


-j

Re: REST Impersonation?

Posted by Jerry He <je...@gmail.com>.
The basic concept and impersonation support is this:

Your HBase Rest gateway is running under a user id, say 'hbase'.
The incoming Rest client user id is 'user1'.

On the HBase server (master or region server), you want the authorization
(ACL) to be done on 'user1'.
You want the user id 'hbase' to be able to impersonate the user id 'user1'.

You would specify on your hbase-site.xml on the HBase servers (master and
region servers):

hadoop.proxyuser.hbase.groups = <the-group-of-user1 or groups or wildcard
like *)
hadoop.proxyuser.hbase.hosts = <the-host-where-your-rest-server-is or
wildcard like *)

It basically says 'I am allowing the user id hbase to impersonate anyone in
the specified groups from the specified hosts.

You can look at the master version of the Reference Guide.
http://hbase.apache.org/book.html
I do think we need to do a better job explaining this.


Jerry




On Mon, Aug 10, 2015 at 2:55 PM, Rose, Joseph <
Joseph.Rose@childrens.harvard.edu> wrote:

> Folks,
>
> I’d like to get REST gateway impersonation going on my cluster but I’m a
> little confused by the docs (section 55.8 of the reference guide for the
> version I’m using, 0.98.13.)
>
> As I understand it (please let me know if I’m on the wrong track), this
> will let me send user credentials in on the REST call that match, say, the
> users in my HBase instance. These users have visibility labels associated
> with them and I assume that the labels will function normally with the
> credentials on the REST call.
>
> In any case, the 0.98.13 docs say that I should set
> ‘hadoop.proxyuser.$USER.groups’ to ‘$GROUPS’; same thing for
> ‘hadoop.proxyuser.$USER.hosts’. What’s the variable substitution for $USER
> and $GROUPS? Do I need to create these before I can use impersonation?
>
> Obviously I’m somewhat confused. Thanks for your help.
>
>
> -j
>
>