You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hbase.apache.org by "Andrew Purtell (JIRA)" <ji...@apache.org> on 2015/04/11 02:56:12 UTC

[jira] [Commented] (HBASE-4817) Simplify configuration of security components

    [ https://issues.apache.org/jira/browse/HBASE-4817?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14490657#comment-14490657 ] 

Andrew Purtell commented on HBASE-4817:
---------------------------------------

Want to revisit [~ghelmling]? [~jerryhe] ?

> Simplify configuration of security components
> ---------------------------------------------
>
>                 Key: HBASE-4817
>                 URL: https://issues.apache.org/jira/browse/HBASE-4817
>             Project: HBase
>          Issue Type: Improvement
>          Components: security
>            Reporter: Gary Helmling
>
> The HBase security features were built to be optionally loadable, when desired, and it shows through in the complexity of configuring security for operation.
> In addition to the baseline configuration required for process keytab files and server principals, the following properties need to be set to enable security:
> {code}
> <property>
>  <name>hbase.security.authentication</name>
>  <value>kerberos</value>
> </property>
> <property>
>  <name>hbase.coprocessor.master.classes</name>
>  <value>org.apache.hadoop.hbase.security.access.AccessController</value>
> </property>
> <property>
>  <name>hbase.coprocessor.region.classes</name>
>  <value>org.apache.hadoop.hbase.security.access.AccessController,org.apache.hadoop.hbase.security.token.TokenProvider</value>
> </property>
> <property>
>  <name>hbase.rpc.engine</name>
>  <value>org.apache.hadoop.hbase.ipc.SecureRpcEngine</value>
> </property>
> <property>
>  <name>hbase.zookeeper.property.authProvider.1</name>
>  <value>org.apache.zookeeper.server.auth.SASLAuthenticationProvider</value>
> </property>
> {code}
> We should be able to simplify this and automatically setup the underlying code components (required coprocessors, SecureRpcEngine) when some high level security flags are set.
> For authentication and authorization, I'd like narrow it down to two simple configuration properties.  When set, these would trigger automatic configuration of the required coprocessors/RpcEngine:
> * {{hbase.security.authentication}} - when set to {{kerberos}}, this would automatically:
> ** set {{hbase.rpc.engine=org.apache.hadoop.hbase.ipc.SecureRpcEngine}}
> ** add {{org.apache.hadoop.hbase.security.token.TokenProvider}} to the configuration for {{hbase.coprocessor.region.classes}}
> ** possibly also set {{hbase.zookeeper.property.authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider}} for zookeeper?
> * {{hbase.security.authorization}} - when set to {{true}}, this would automatically:
> ** add {{org.apache.hadoop.hbase.security.access.AccessController}} to the configuration for both {{hbase.coprocessor.master.classes}} and {{hbase.coprocessor.region.classes}}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)