You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@hbase.apache.org by "Ted Yu (JIRA)" <ji...@apache.org> on 2017/04/01 00:59:42 UTC

[jira] [Updated] (HBASE-17860) Implement secure native client connection

     [ https://issues.apache.org/jira/browse/HBASE-17860?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ted Yu updated HBASE-17860:
---------------------------
    Attachment: 17860.v2.txt

Patch v2 retrieves the principal by calling krb5 API.
If user hasn't done kinit (empty ccache), login user would be used. However, calling Cyrus library would fault out.

I am open to suggestion on where the unit test should be placed. Currently I latch onto ClientTest.PutGet to show that both put and get can succeed.

Some of the files, such as conf/hbase-site.xml, contain changes which enable my testing on docker VM. They would be dropped before the commit.
hbase/23a03935850c@EXAMPLE.COM corresponds to the principal I generated for server to run (23a03935850c being the hostname of the docker VM).

> Implement secure native client connection
> -----------------------------------------
>
>                 Key: HBASE-17860
>                 URL: https://issues.apache.org/jira/browse/HBASE-17860
>             Project: HBase
>          Issue Type: Sub-task
>            Reporter: Ted Yu
>            Assignee: Ted Yu
>            Priority: Critical
>         Attachments: 17860.v2.txt
>
>
> So far, the native client communicates with insecure cluster.
> This JIRA is to add secure connection support for native client using Cyrus library.
> The work is based on earlier implementation and is redone via wangle and folly frameworks.
> Thanks to [~devaraj] who started the initiative.
> Here is high level description of the design:
> * SaslHandler is declared as:
> {code}
> class SaslHandler
>     : public wangle::HandlerAdapter<folly::IOBufQueue&, std::unique_ptr<folly::IOBuf>>{
> {code}
> It would be inserted between EventBaseHandler and LengthFieldBasedFrameDecoder in the pipeline (via ConnectionFactory::Connect())
> * SaslHandler would intercept writes to server by buffering the IOBuf's and start the handshake process (via sasl_client_XX calls provided by Cyrus)
> * after handshake is complete, SaslHandler would send the buffered IOBuf's to server and act as pass-thru from then on



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)