You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@impala.apache.org by Danny Morgan <un...@hotmail.com> on 2017/02/02 14:55:01 UTC
Re: Impala Hbase Security
Hi Everyone, any luck?
________________________________
From: Danny Morgan <un...@hotmail.com>
Sent: Friday, January 27, 2017 10:08:12 PM
To: user@impala.incubator.apache.org
Subject: Impala Hbase Security
Does Impala support HBase security? Can Impala impersonation end users when
access HBase?
Does Impala work with Kerberized HBase?
Thank You
Re: Impala Hbase Security
Posted by Jeszy <je...@gmail.com>.
Hey Danny,
As far as I know Sentry doesn't work with HBase out of the box (so not
sure about Sentry's HBase model).
If you use Sentry, Impala will validate against Sentry's privilege db
(it's cached version in the catalog) before doing anything. That means
that if Impala is the only interface to HBase, you can use Sentry to
control access. Since this is not the case, I think assuming that the
'impala' user is allowed to access anything would work (since the
effective user is cleared against Sentry previously), but you would
have to manually sync HBase and Sentry privileges to cover other
clients.
This last part is what Sentry's HDFS sync takes care of in HDFS-backed
tables. I am not a security guru by any means, so handle with care :)
HTH
On Wed, Feb 8, 2017 at 8:55 PM, Tim Armstrong <ta...@cloudera.com> wrote:
> I believe that's correct - we don't have a special privilege model for
> HBase.
>
> On Fri, Feb 3, 2017 at 7:20 PM, Danny Morgan <un...@hotmail.com> wrote:
>>
>> Thanks Tim!
>>
>>
>> I believe HDFS is a special case as libHdfs doesn't have a functional api
>> for proxy user impersonation at the moment, and instead uses the UGI methods
>> which just use the process uid or the cached principal.
>>
>>
>> In the case of HBase there is a proxy impersonation api in HBase 1.0+ but
>> even with the current implementation as far as I can tell Impala wouldn't be
>> compatible with Sentry's HBase privilege model either. Is that correct?
>>
>>
>> Thank you again.
>>
>> ________________________________
>> From: Tim Armstrong <ta...@cloudera.com>
>> Sent: Friday, February 3, 2017 7:48:08 PM
>>
>> To: user@impala.incubator.apache.org
>> Subject: Re: Impala Hbase Security
>>
>> I don't believe that we have anything planned.
>>
>> For what it's worth the situation with HDFS is similar - we generally
>> assume that the Impala user is given broad enough permissions to access any
>> HDFS files or directories that any Impala user needs access too. Then
>> authorisation is done via Sentry to determine whether a given user has
>> access to the particular tables and columns. This lets us do things like
>> column-level security and also have different permissions on views and the
>> underlying tables.
>>
>> On Fri, Feb 3, 2017 at 10:03 AM, Danny Morgan <un...@hotmail.com>
>> wrote:
>>>
>>> Thanks Tim, I was able to verify the kerberos support. Any chance you'll
>>> add support for impersonation to HBase? I think right now everything runs as
>>> the "impala" user.
>>>
>>> ________________________________
>>> From: Tim Armstrong <ta...@cloudera.com>
>>> Sent: Thursday, February 2, 2017 9:14:47 PM
>>> To: user@impala.incubator.apache.org
>>> Subject: Re: Impala Hbase Security
>>>
>>> Hi Danny,
>>> I believe that Impala should pick up your HBase security configuration
>>> from hbase-site.xml. We don't support impersonation.
>>>
>>> - Tim
>>>
>>> On Thu, Feb 2, 2017 at 6:55 AM, Danny Morgan <un...@hotmail.com>
>>> wrote:
>>>>
>>>> Hi Everyone, any luck?
>>>>
>>>> ________________________________
>>>> From: Danny Morgan <un...@hotmail.com>
>>>> Sent: Friday, January 27, 2017 10:08:12 PM
>>>> To: user@impala.incubator.apache.org
>>>> Subject: Impala Hbase Security
>>>>
>>>>
>>>> Does Impala support HBase security? Can Impala impersonation end users
>>>> when
>>>> access HBase?
>>>>
>>>>
>>>> Does Impala work with Kerberized HBase?
>>>>
>>>>
>>>> Thank You
>>>>
>>>>
>>>
>>
>
Re: Impala Hbase Security
Posted by Tim Armstrong <ta...@cloudera.com>.
I believe that's correct - we don't have a special privilege model for
HBase.
On Fri, Feb 3, 2017 at 7:20 PM, Danny Morgan <un...@hotmail.com> wrote:
> Thanks Tim!
>
>
> I believe HDFS is a special case as libHdfs doesn't have a functional api
> for proxy user impersonation at the moment, and instead uses the UGI
> methods which just use the process uid or the cached principal.
>
>
> In the case of HBase there is a proxy impersonation api in HBase 1.0+ but
> even with the current implementation as far as I can tell Impala wouldn't
> be compatible with Sentry's HBase privilege model either. Is that correct?
>
>
> Thank you again.
> ------------------------------
> *From:* Tim Armstrong <ta...@cloudera.com>
> *Sent:* Friday, February 3, 2017 7:48:08 PM
>
> *To:* user@impala.incubator.apache.org
> *Subject:* Re: Impala Hbase Security
>
> I don't believe that we have anything planned.
>
> For what it's worth the situation with HDFS is similar - we generally
> assume that the Impala user is given broad enough permissions to access any
> HDFS files or directories that any Impala user needs access too. Then
> authorisation is done via Sentry to determine whether a given user has
> access to the particular tables and columns. This lets us do things like
> column-level security and also have different permissions on views and the
> underlying tables.
>
> On Fri, Feb 3, 2017 at 10:03 AM, Danny Morgan <un...@hotmail.com>
> wrote:
>
>> Thanks Tim, I was able to verify the kerberos support. Any chance you'll
>> add support for impersonation to HBase? I think right now everything runs
>> as the "impala" user.
>> ------------------------------
>> *From:* Tim Armstrong <ta...@cloudera.com>
>> *Sent:* Thursday, February 2, 2017 9:14:47 PM
>> *To:* user@impala.incubator.apache.org
>> *Subject:* Re: Impala Hbase Security
>>
>> Hi Danny,
>> I believe that Impala should pick up your HBase security configuration
>> from hbase-site.xml. We don't support impersonation.
>>
>> - Tim
>>
>> On Thu, Feb 2, 2017 at 6:55 AM, Danny Morgan <un...@hotmail.com>
>> wrote:
>>
>>> Hi Everyone, any luck?
>>> ------------------------------
>>> *From:* Danny Morgan <un...@hotmail.com>
>>> *Sent:* Friday, January 27, 2017 10:08:12 PM
>>> *To:* user@impala.incubator.apache.org
>>> *Subject:* Impala Hbase Security
>>>
>>>
>>> Does Impala support HBase security? Can Impala impersonation end users
>>> when
>>> access HBase?
>>>
>>>
>>> Does Impala work with Kerberized HBase?
>>>
>>>
>>> Thank You
>>>
>>>
>>
>
Re: Impala Hbase Security
Posted by Danny Morgan <un...@hotmail.com>.
Thanks Tim!
I believe HDFS is a special case as libHdfs doesn't have a functional api for proxy user impersonation at the moment, and instead uses the UGI methods which just use the process uid or the cached principal.
In the case of HBase there is a proxy impersonation api in HBase 1.0+ but even with the current implementation as far as I can tell Impala wouldn't be compatible with Sentry's HBase privilege model either. Is that correct?
Thank you again.
________________________________
From: Tim Armstrong <ta...@cloudera.com>
Sent: Friday, February 3, 2017 7:48:08 PM
To: user@impala.incubator.apache.org
Subject: Re: Impala Hbase Security
I don't believe that we have anything planned.
For what it's worth the situation with HDFS is similar - we generally assume that the Impala user is given broad enough permissions to access any HDFS files or directories that any Impala user needs access too. Then authorisation is done via Sentry to determine whether a given user has access to the particular tables and columns. This lets us do things like column-level security and also have different permissions on views and the underlying tables.
On Fri, Feb 3, 2017 at 10:03 AM, Danny Morgan <un...@hotmail.com>> wrote:
Thanks Tim, I was able to verify the kerberos support. Any chance you'll add support for impersonation to HBase? I think right now everything runs as the "impala" user.
________________________________
From: Tim Armstrong <ta...@cloudera.com>>
Sent: Thursday, February 2, 2017 9:14:47 PM
To: user@impala.incubator.apache.org<ma...@impala.incubator.apache.org>
Subject: Re: Impala Hbase Security
Hi Danny,
I believe that Impala should pick up your HBase security configuration from hbase-site.xml. We don't support impersonation.
- Tim
On Thu, Feb 2, 2017 at 6:55 AM, Danny Morgan <un...@hotmail.com>> wrote:
Hi Everyone, any luck?
________________________________
From: Danny Morgan <un...@hotmail.com>>
Sent: Friday, January 27, 2017 10:08:12 PM
To: user@impala.incubator.apache.org<ma...@impala.incubator.apache.org>
Subject: Impala Hbase Security
Does Impala support HBase security? Can Impala impersonation end users when
access HBase?
Does Impala work with Kerberized HBase?
Thank You
Re: Impala Hbase Security
Posted by Tim Armstrong <ta...@cloudera.com>.
I don't believe that we have anything planned.
For what it's worth the situation with HDFS is similar - we generally
assume that the Impala user is given broad enough permissions to access any
HDFS files or directories that any Impala user needs access too. Then
authorisation is done via Sentry to determine whether a given user has
access to the particular tables and columns. This lets us do things like
column-level security and also have different permissions on views and the
underlying tables.
On Fri, Feb 3, 2017 at 10:03 AM, Danny Morgan <un...@hotmail.com>
wrote:
> Thanks Tim, I was able to verify the kerberos support. Any chance you'll
> add support for impersonation to HBase? I think right now everything runs
> as the "impala" user.
> ------------------------------
> *From:* Tim Armstrong <ta...@cloudera.com>
> *Sent:* Thursday, February 2, 2017 9:14:47 PM
> *To:* user@impala.incubator.apache.org
> *Subject:* Re: Impala Hbase Security
>
> Hi Danny,
> I believe that Impala should pick up your HBase security configuration
> from hbase-site.xml. We don't support impersonation.
>
> - Tim
>
> On Thu, Feb 2, 2017 at 6:55 AM, Danny Morgan <un...@hotmail.com>
> wrote:
>
>> Hi Everyone, any luck?
>> ------------------------------
>> *From:* Danny Morgan <un...@hotmail.com>
>> *Sent:* Friday, January 27, 2017 10:08:12 PM
>> *To:* user@impala.incubator.apache.org
>> *Subject:* Impala Hbase Security
>>
>>
>> Does Impala support HBase security? Can Impala impersonation end users
>> when
>> access HBase?
>>
>>
>> Does Impala work with Kerberized HBase?
>>
>>
>> Thank You
>>
>>
>
Re: Impala Hbase Security
Posted by Danny Morgan <un...@hotmail.com>.
Thanks Tim, I was able to verify the kerberos support. Any chance you'll add support for impersonation to HBase? I think right now everything runs as the "impala" user.
________________________________
From: Tim Armstrong <ta...@cloudera.com>
Sent: Thursday, February 2, 2017 9:14:47 PM
To: user@impala.incubator.apache.org
Subject: Re: Impala Hbase Security
Hi Danny,
I believe that Impala should pick up your HBase security configuration from hbase-site.xml. We don't support impersonation.
- Tim
On Thu, Feb 2, 2017 at 6:55 AM, Danny Morgan <un...@hotmail.com>> wrote:
Hi Everyone, any luck?
________________________________
From: Danny Morgan <un...@hotmail.com>>
Sent: Friday, January 27, 2017 10:08:12 PM
To: user@impala.incubator.apache.org<ma...@impala.incubator.apache.org>
Subject: Impala Hbase Security
Does Impala support HBase security? Can Impala impersonation end users when
access HBase?
Does Impala work with Kerberized HBase?
Thank You
Re: Impala Hbase Security
Posted by Tim Armstrong <ta...@cloudera.com>.
Hi Danny,
I believe that Impala should pick up your HBase security configuration
from hbase-site.xml. We don't support impersonation.
- Tim
On Thu, Feb 2, 2017 at 6:55 AM, Danny Morgan <un...@hotmail.com> wrote:
> Hi Everyone, any luck?
> ------------------------------
> *From:* Danny Morgan <un...@hotmail.com>
> *Sent:* Friday, January 27, 2017 10:08:12 PM
> *To:* user@impala.incubator.apache.org
> *Subject:* Impala Hbase Security
>
>
> Does Impala support HBase security? Can Impala impersonation end users when
> access HBase?
>
>
> Does Impala work with Kerberized HBase?
>
>
> Thank You
>
>
Re: Impala Hbase Security
Posted by Sailesh Mukil <sa...@cloudera.com>.
https://www.cloudera.com/documentation/enterprise/5-8-x/topics/impala_hbase.html
The Impala docs just specify: "For details about HBase security, see
the Security
chapter in the HBase Reference Guide
<http://hbase.apache.org/book/ch08s04.html>."
That link has a section on "Client-side Configuration for Secure
Operation" which
can be tried to see if it works. It should work if configured correctly but
it's hard to tell as AFAIK, our testing does not include Impala over HBase
in a secure environment.
On Thu, Feb 2, 2017 at 10:34 AM, Tim Armstrong <ta...@cloudera.com>
wrote:
> Does anyone on dev@ about this? I'm guess we don't support impersonation
> but have no idea if we support kerberos - is that automatically picked up
> by the HBASE client?
>
> On Thu, Feb 2, 2017 at 6:55 AM, Danny Morgan <un...@hotmail.com>
> wrote:
>
> > Hi Everyone, any luck?
> > ------------------------------
> > *From:* Danny Morgan <un...@hotmail.com>
> > *Sent:* Friday, January 27, 2017 10:08:12 PM
> > *To:* user@impala.incubator.apache.org
> > *Subject:* Impala Hbase Security
> >
> >
> > Does Impala support HBase security? Can Impala impersonation end users
> when
> > access HBase?
> >
> >
> > Does Impala work with Kerberized HBase?
> >
> >
> > Thank You
> >
> >
>
Re: Impala Hbase Security
Posted by Tim Armstrong <ta...@cloudera.com>.
Does anyone on dev@ about this? I'm guess we don't support impersonation
but have no idea if we support kerberos - is that automatically picked up
by the HBASE client?
On Thu, Feb 2, 2017 at 6:55 AM, Danny Morgan <un...@hotmail.com> wrote:
> Hi Everyone, any luck?
> ------------------------------
> *From:* Danny Morgan <un...@hotmail.com>
> *Sent:* Friday, January 27, 2017 10:08:12 PM
> *To:* user@impala.incubator.apache.org
> *Subject:* Impala Hbase Security
>
>
> Does Impala support HBase security? Can Impala impersonation end users when
> access HBase?
>
>
> Does Impala work with Kerberized HBase?
>
>
> Thank You
>
>