You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@hbase.apache.org by jw...@gmail.com on 2020/08/12 14:49:55 UTC

Using KnoxSSO Proxy for Hbase Web UIs

Hello!

 

I'm trying to prevent anonymous access to the Hbase Master and Regionserver
standard web UIs (the ones running on ports 16010/16030). I'm not able to
use SPNEGO protection on the web interfaces as the workstations my team
would be coming in from are Windows 10 workstations on a different domain
(that we don't have the rights to install software on). 

 

Is it possible to configure the Hbase web UIs to utilize Knox's KnoxSSO
proxy? Something analogous to this configuration setting in Hadoop's
core-site.xml:

<property>

<name>hadoop.http.authentication.authentication.provider.url</name>

<value>https://
<https://%3cknoxGWserver%3e:8443/gateway/knoxsso/api/v1/websso%3c/value>
<knoxGWserver>:8443/gateway/knoxsso/api/v1/websso</value>

</property>

 

If not, are there any other options available other than disabling the web
interfaces entirely?

 

Thanks!

Re: Using KnoxSSO Proxy for Hbase Web UIs

Posted by Billy Watson <wi...@gmail.com>.
So if I'm understanding correctly, I've done something very similar to this
before. You can setup a cross-domain trust at the server level. Then for
your clients, you can specify the krb5 at bootup of java/kinit either
through an environment variable or something like this:
https://stackoverflow.com/a/30710283

Then these two things WOULD allow you to use something like spnego and that
might solve your problems.

To answer your question more directly, without SPNEGO, I don't see anything
like that in the HBase configs but I'm maybe missing something. You're
thinking about it backwards from how I usually think about it, which is
fine.

But if you flip it, there's an easier way, assuming you are cool running a
knox gateway: use the knox gateway to sit in front of the HBase UI and
block access except through the knox servers. There's a tutorial that MIGHT
work here
https://community.cloudera.com/t5/Community-Articles/Configure-Knox-to-access-HBASE-UI/ta-p/249399
although it's roughly similar to setting up any other knox gateway proxy.


William Watson



On Wed, Aug 12, 2020 at 10:50 AM <jw...@gmail.com> wrote:

> Hello!
>
>
>
> I'm trying to prevent anonymous access to the Hbase Master and Regionserver
> standard web UIs (the ones running on ports 16010/16030). I'm not able to
> use SPNEGO protection on the web interfaces as the workstations my team
> would be coming in from are Windows 10 workstations on a different domain
> (that we don't have the rights to install software on).
>
>
>
> Is it possible to configure the Hbase web UIs to utilize Knox's KnoxSSO
> proxy? Something analogous to this configuration setting in Hadoop's
> core-site.xml:
>
> <property>
>
> <name>hadoop.http.authentication.authentication.provider.url</name>
>
> <value>https://
> <https://%3cknoxGWserver%3e:8443/gateway/knoxsso/api/v1/websso%3c/value>
> <knoxGWserver>:8443/gateway/knoxsso/api/v1/websso</value>
>
> </property>
>
>
>
> If not, are there any other options available other than disabling the web
> interfaces entirely?
>
>
>
> Thanks!
>
>
>
>