Uploaded image for project: 'HBase'
  1. HBase
  2. HBASE-23347

Pluggable RPC authentication

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 3.0.0-alpha-1, 2.3.0
    • rpc, security
    • None
    • Reviewed
    • Hide
      This change introduces an internal abstraction layer which allows for new SASL-based authentication mechanisms to be used inside HBase services. All existing SASL-based authentication mechanism were ported to the new abstraction, making no external change in runtime semantics, client API, or RPC serialization format.

      Developers familiar with extending HBase can implement authentication mechanism beyond simple Kerberos and DelegationTokens which authenticate HBase users against some other user database. HBase service authentication (Master to/from RegionServer) continue to operate solely over Kerberos.
      Show
      This change introduces an internal abstraction layer which allows for new SASL-based authentication mechanisms to be used inside HBase services. All existing SASL-based authentication mechanism were ported to the new abstraction, making no external change in runtime semantics, client API, or RPC serialization format. Developers familiar with extending HBase can implement authentication mechanism beyond simple Kerberos and DelegationTokens which authenticate HBase users against some other user database. HBase service authentication (Master to/from RegionServer) continue to operate solely over Kerberos.

    Description

      Today in HBase, we rely on SASL to implement Kerberos and delegation token authentication. The RPC client and server logic is very tightly coupled to our three authentication mechanism (the previously two mentioned plus simple auth'n) for no good reason (other than "that's how it was built", best as I can tell).

      SASL's function is to decouple the "application" from how a request is being authenticated, which means that, to support a variety of other authentication approaches, we just need to be a little more flexible in letting developers create their own authentication mechanism for HBase.

      This is less for the "average joe" user to write their own authentication plugin (eek), but more to allow us HBase developers to start iterating, see what is possible.

      I'll attach a full write-up on what I have today as to how I think we can add these abstractions, as well as an initial implementation of this idea, with a unit test that shows an end-to-end authentication solution against HBase.

      cc/ wchevreuil as he's been working with me behind the scenes, giving lots of great feedback and support.

      Attachments

        Issue Links

          breaks

          Bug - A problem which impairs or prevents the functions of the product. HBASE-23709 Unwrap the real user to properly dispatch proxy-user auth'n

          • Major - Major loss of function.
          • Resolved
          causes

          Sub-task - The sub-task of the issue HBASE-23722 TestCustomSaslAuthenticationProvider failing in nightlies

          • Major - Major loss of function.
          • Resolved
          links to

          Web Link GitHub Pull Request #884

          Web Link GitHub Pull Request #1060

          Activity

            People

              elserj Josh Elser
              elserj Josh Elser
              Votes:
              0 Vote for this issue
              Watchers:
              15 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: