You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hbase.apache.org by "Gary Helmling (JIRA)" <ji...@apache.org> on 2011/07/14 19:57:59 UTC
[jira] [Created] (HBASE-4099) Authentication for ThriftServer
clients
Authentication for ThriftServer clients
---------------------------------------
Key: HBASE-4099
URL: https://issues.apache.org/jira/browse/HBASE-4099
Project: HBase
Issue Type: Sub-task
Components: security
Reporter: Gary Helmling
The current implementation of HBase client authentication only works with the Java API. Alternate access gateways, like Thrift and REST are left out and will not work.
For the ThriftServer to be able to fully interoperate with the security implementation:
# the ThriftServer should be able to login from a keytab file with it's own server principal on startup
# thrift clients should be able to authenticate securely when connecting to the server
# the ThriftServer should be able to act as a proxy for those clients so that the RPCs it issues will be correctly authorized as the original client identities
There is already some support for step 3 in UserGroupInformation and related classes.
For step #2, we really need to look at what thrift itself supports.
At a bare minimum, we need to implement step #1. If we do this, even without steps 2 & 3, this would at least allow deployments to use a ThriftServer per application user, and have the server login as that user on startup. Thrift clients may not be directly authenticated, but authorization checks for HBase could still be handled correctly this way.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-4099) Authentication for ThriftServer
clients
Posted by "Lars Hofhansl (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-4099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13443533#comment-13443533 ]
Lars Hofhansl commented on HBASE-4099:
--------------------------------------
Can we commit or close this?
> Authentication for ThriftServer clients
> ---------------------------------------
>
> Key: HBASE-4099
> URL: https://issues.apache.org/jira/browse/HBASE-4099
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Reporter: Gary Helmling
> Attachments: HBASE-4099.patch
>
>
> The current implementation of HBase client authentication only works with the Java API. Alternate access gateways, like Thrift and REST are left out and will not work.
> For the ThriftServer to be able to fully interoperate with the security implementation:
> # the ThriftServer should be able to login from a keytab file with it's own server principal on startup
> # thrift clients should be able to authenticate securely when connecting to the server
> # the ThriftServer should be able to act as a proxy for those clients so that the RPCs it issues will be correctly authorized as the original client identities
> There is already some support for step 3 in UserGroupInformation and related classes.
> For step #2, we really need to look at what thrift itself supports.
> At a bare minimum, we need to implement step #1. If we do this, even without steps 2 & 3, this would at least allow deployments to use a ThriftServer per application user, and have the server login as that user on startup. Thrift clients may not be directly authenticated, but authorization checks for HBase could still be handled correctly this way.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-4099) Authentication for ThriftServer
clients
Posted by "stack (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-4099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13173897#comment-13173897 ]
stack commented on HBASE-4099:
------------------------------
These have been committed?
> Authentication for ThriftServer clients
> ---------------------------------------
>
> Key: HBASE-4099
> URL: https://issues.apache.org/jira/browse/HBASE-4099
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Reporter: Gary Helmling
> Attachments: HBASE-4099.patch
>
>
> The current implementation of HBase client authentication only works with the Java API. Alternate access gateways, like Thrift and REST are left out and will not work.
> For the ThriftServer to be able to fully interoperate with the security implementation:
> # the ThriftServer should be able to login from a keytab file with it's own server principal on startup
> # thrift clients should be able to authenticate securely when connecting to the server
> # the ThriftServer should be able to act as a proxy for those clients so that the RPCs it issues will be correctly authorized as the original client identities
> There is already some support for step 3 in UserGroupInformation and related classes.
> For step #2, we really need to look at what thrift itself supports.
> At a bare minimum, we need to implement step #1. If we do this, even without steps 2 & 3, this would at least allow deployments to use a ThriftServer per application user, and have the server login as that user on startup. Thrift clients may not be directly authenticated, but authorization checks for HBase could still be handled correctly this way.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-4099) Authentication for ThriftServer
clients
Posted by "Andrew Purtell (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-4099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13112165#comment-13112165 ]
Andrew Purtell commented on HBASE-4099:
---------------------------------------
+1
> Authentication for ThriftServer clients
> ---------------------------------------
>
> Key: HBASE-4099
> URL: https://issues.apache.org/jira/browse/HBASE-4099
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Reporter: Gary Helmling
> Attachments: HBASE-4099.patch
>
>
> The current implementation of HBase client authentication only works with the Java API. Alternate access gateways, like Thrift and REST are left out and will not work.
> For the ThriftServer to be able to fully interoperate with the security implementation:
> # the ThriftServer should be able to login from a keytab file with it's own server principal on startup
> # thrift clients should be able to authenticate securely when connecting to the server
> # the ThriftServer should be able to act as a proxy for those clients so that the RPCs it issues will be correctly authorized as the original client identities
> There is already some support for step 3 in UserGroupInformation and related classes.
> For step #2, we really need to look at what thrift itself supports.
> At a bare minimum, we need to implement step #1. If we do this, even without steps 2 & 3, this would at least allow deployments to use a ThriftServer per application user, and have the server login as that user on startup. Thrift clients may not be directly authenticated, but authorization checks for HBase could still be handled correctly this way.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (HBASE-4099) Authentication for ThriftServer
clients
Posted by "Gary Helmling (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-4099?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Gary Helmling resolved HBASE-4099.
----------------------------------
Resolution: Duplicate
Assignee: stack
Change was applied as part of HBASE-5062 by stack.
> Authentication for ThriftServer clients
> ---------------------------------------
>
> Key: HBASE-4099
> URL: https://issues.apache.org/jira/browse/HBASE-4099
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Reporter: Gary Helmling
> Assignee: stack
> Attachments: HBASE-4099.patch
>
>
> The current implementation of HBase client authentication only works with the Java API. Alternate access gateways, like Thrift and REST are left out and will not work.
> For the ThriftServer to be able to fully interoperate with the security implementation:
> # the ThriftServer should be able to login from a keytab file with it's own server principal on startup
> # thrift clients should be able to authenticate securely when connecting to the server
> # the ThriftServer should be able to act as a proxy for those clients so that the RPCs it issues will be correctly authorized as the original client identities
> There is already some support for step 3 in UserGroupInformation and related classes.
> For step #2, we really need to look at what thrift itself supports.
> At a bare minimum, we need to implement step #1. If we do this, even without steps 2 & 3, this would at least allow deployments to use a ThriftServer per application user, and have the server login as that user on startup. Thrift clients may not be directly authenticated, but authorization checks for HBase could still be handled correctly this way.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-4099) Authentication for ThriftServer
clients
Posted by "Gary Helmling (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-4099?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Gary Helmling updated HBASE-4099:
---------------------------------
Attachment: HBASE-4099.patch
Here's a patch that implements step #1 -- allowing the ThriftServer to login from a keytab file on startup. This allows the ThriftServer's connections to HBase to be authenticated and subject to access control. So this change is only required if using the SecureRpcEngine. However, deployments using secure RPC and access control, it will be required for the thrift gateway to work.
> Authentication for ThriftServer clients
> ---------------------------------------
>
> Key: HBASE-4099
> URL: https://issues.apache.org/jira/browse/HBASE-4099
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Reporter: Gary Helmling
> Attachments: HBASE-4099.patch
>
>
> The current implementation of HBase client authentication only works with the Java API. Alternate access gateways, like Thrift and REST are left out and will not work.
> For the ThriftServer to be able to fully interoperate with the security implementation:
> # the ThriftServer should be able to login from a keytab file with it's own server principal on startup
> # thrift clients should be able to authenticate securely when connecting to the server
> # the ThriftServer should be able to act as a proxy for those clients so that the RPCs it issues will be correctly authorized as the original client identities
> There is already some support for step 3 in UserGroupInformation and related classes.
> For step #2, we really need to look at what thrift itself supports.
> At a bare minimum, we need to implement step #1. If we do this, even without steps 2 & 3, this would at least allow deployments to use a ThriftServer per application user, and have the server login as that user on startup. Thrift clients may not be directly authenticated, but authorization checks for HBase could still be handled correctly this way.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira