You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hbase.apache.org by "Josh Elser (Jira)" <ji...@apache.org> on 2019/12/06 21:25:00 UTC

[jira] [Comment Edited] (HBASE-23347) Pluggable RPC authentication

    [ https://issues.apache.org/jira/browse/HBASE-23347?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16984038#comment-16984038 ] 

Josh Elser edited comment on HBASE-23347 at 12/6/19 9:24 PM:
-------------------------------------------------------------

Copying from the pull-request:
{quote}This is a big one. Sorry ;)

Start here with a one-page writeup:[https://github.com/joshelser/hbase/blob/23347-pluggable-authentication/dev-support/design-docs/HBASE-23347-pluggable-authentication.md]

Next, look at the client side interfaces: [https://github.com/joshelser/hbase/tree/23347-pluggable-authentication/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider]

Then, the server side interfaces: [https://github.com/joshelser/hbase/tree/23347-pluggable-authentication/hbase-server/src/main/java/org/apache/hadoop/hbase/security/provider]

Finally, an end-to-end example of how you can use this: [https://github.com/joshelser/hbase/blob/23347-pluggable-authentication/hbase-server/src/test/java/org/apache/hadoop/hbase/security/provider/TestCustomSaslAuthenticationProvider.java]

This is very-much a first draft. This is "new art" for HBase and I expect some discussion on how we want to safely do this. I'm fully expecting lots of revisions.

Relevant tests should be passing, but this is also partially for me to let QA-bot run. Everything I did was in attempts to retain backwards compatibility with older clients, as well as RPC-impl compatibility. This should all be implementation-details inside of HBase.
{quote}
(edit: updated design doc link)


was (Author: elserj):
Copying from the pull-request:

{quote}
This is a big one. Sorry ;)

Start here with a one-page writeup: [https://github.com/joshelser/hbase/blob/23347-pluggable-authentication/PluggableRpcAuthentication.md]

Next, look at the client side interfaces: [https://github.com/joshelser/hbase/tree/23347-pluggable-authentication/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider]

Then, the server side interfaces: [https://github.com/joshelser/hbase/tree/23347-pluggable-authentication/hbase-server/src/main/java/org/apache/hadoop/hbase/security/provider]

Finally, an end-to-end example of how you can use this: [https://github.com/joshelser/hbase/blob/23347-pluggable-authentication/hbase-server/src/test/java/org/apache/hadoop/hbase/security/provider/TestCustomSaslAuthenticationProvider.java]

This is very-much a first draft. This is "new art" for HBase and I expect some discussion on how we want to safely do this. I'm fully expecting lots of revisions.

Relevant tests should be passing, but this is also partially for me to let QA-bot run. Everything I did was in attempts to retain backwards compatibility with older clients, as well as RPC-impl compatibility. This should all be implementation-details inside of HBase.
{quote}

> Pluggable RPC authentication
> ----------------------------
>
>                 Key: HBASE-23347
>                 URL: https://issues.apache.org/jira/browse/HBASE-23347
>             Project: HBase
>          Issue Type: Improvement
>          Components: rpc, security
>            Reporter: Josh Elser
>            Assignee: Josh Elser
>            Priority: Major
>             Fix For: 3.0.0
>
>
> Today in HBase, we rely on SASL to implement Kerberos and delegation token authentication. The RPC client and server logic is very tightly coupled to our three authentication mechanism (the previously two mentioned plus simple auth'n) for no good reason (other than "that's how it was built", best as I can tell).
> SASL's function is to decouple the "application" from how a request is being authenticated, which means that, to support a variety of other authentication approaches, we just need to be a little more flexible in letting developers create their own authentication mechanism for HBase.
> This is less for the "average joe" user to write their own authentication plugin (eek), but more to allow us HBase developers to start iterating, see what is possible.
> I'll attach a full write-up on what I have today as to how I think we can add these abstractions, as well as an initial implementation of this idea, with a unit test that shows an end-to-end authentication solution against HBase.
> cc/ [~wchevreuil] as he's been working with me behind the scenes, giving lots of great feedback and support.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)