You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@hbase.apache.org by "Aditya Kishore (JIRA)" <ji...@apache.org> on 2013/09/10 03:03:51 UTC

[jira] [Updated] (HBASE-9482) Do not enforce secure Hadoop for secure HBase

     [ https://issues.apache.org/jira/browse/HBASE-9482?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Aditya Kishore updated HBASE-9482:
----------------------------------

    Attachment: HBASE-9482-0.94.patch

Patch of 0.94 branch.
                
> Do not enforce secure Hadoop for secure HBase
> ---------------------------------------------
>
>                 Key: HBASE-9482
>                 URL: https://issues.apache.org/jira/browse/HBASE-9482
>             Project: HBase
>          Issue Type: Bug
>          Components: security
>            Reporter: Aditya Kishore
>            Assignee: Aditya Kishore
>              Labels: security
>         Attachments: HBASE-9482-0.94.patch
>
>
> We should recommend and not enforce secure Hadoop underneath as a requirement to run secure HBase.
> Few of our customers have HBase clusters which expose only HBase services to outside the physical network and no other services (including ssh) are accessible from outside of such cluster.
> However they are forced to setup secure Hadoop and incur the penalty of security overhead at filesystem layer even if they do not need to.
> The following code tests for both secure HBase and secure Hadoop.
> {code:title=org.apache.hadoop.hbase.security.User|borderStyle=solid}
>   /**
>    * Returns whether or not secure authentication is enabled for HBase.  Note that
>    * HBase security requires HDFS security to provide any guarantees, so this requires that
>    * both <code>hbase.security.authentication</code> and <code>hadoop.security.authentication</code>
>    * are set to <code>kerberos</code>.
>    */
>   public static boolean isHBaseSecurityEnabled(Configuration conf) {
>     return "kerberos".equalsIgnoreCase(conf.get(HBASE_SECURITY_CONF_KEY)) &&
>         "kerberos".equalsIgnoreCase(
>             conf.get(CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION));
>   }
> {code}
> What is worse that if {{"hadoop.security.authentication"}} is not set to {{"kerberos"}} (undocumented at http://hbase.apache.org/book/security.html), all other configuration have no impact and HBase RPCs silently switch back to unsecured mode.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira