Uploaded image for project: 'HBase'
  1. HBase
  2. HBASE-24252

Implement proxyuser/doAs mechanism for hbase-http

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 3.0.0-alpha-1, 2.3.0, 2.2.5
    • security, UI
    • None
    • Reviewed
    • Hide
      This feature enables the HBase Web UI's to accept a 'proxyuser' via the HTTP Request's query string. When the parameter `hbase.security.authentication.spnego.kerberos.proxyuser.enable` is set to `true` in hbase-site.xml (default is `false`), the HBase UI will attempt to impersonate the user specified by the query parameter "doAs". This query parameter is checked case-insensitively. When this option is not provided, the user who executed the request is the "real" user and there is no ability to execute impersonation against the WebUI.

      For example, if the user "bob" with Kerberos credentials executes a request against the WebUI with this feature enabled and a query string which includes `doAs=alice`, the HBase UI will treat this request as executed as `alice`, not `bob`.

      The standard Hadoop proxyuser configuration properties to limit users who may impersonate others apply to this change (e.g. to enable `bob` to impersonate `alice`). See the Hadoop documentation for more information on how to configure these proxyuser rules.
      Show
      This feature enables the HBase Web UI's to accept a 'proxyuser' via the HTTP Request's query string. When the parameter `hbase.security.authentication.spnego.kerberos.proxyuser.enable` is set to `true` in hbase-site.xml (default is `false`), the HBase UI will attempt to impersonate the user specified by the query parameter "doAs". This query parameter is checked case-insensitively. When this option is not provided, the user who executed the request is the "real" user and there is no ability to execute impersonation against the WebUI. For example, if the user "bob" with Kerberos credentials executes a request against the WebUI with this feature enabled and a query string which includes `doAs=alice`, the HBase UI will treat this request as executed as `alice`, not `bob`. The standard Hadoop proxyuser configuration properties to limit users who may impersonate others apply to this change (e.g. to enable `bob` to impersonate `alice`). See the Hadoop documentation for more information on how to configure these proxyuser rules.

    Description

      The REST and Thrift interfaces for HBase already implement the standard hadoop ProxyUser mechanism for SPNEGO, but it is not implemented in hbase-httpserver.

      Implement it.

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. HBASE-24268 REST and Thrift server do not handle the "doAs" parameter case insensitively

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved
          links to

          Web Link GitHub PR

          There are no Sub-Tasks for this issue.

          Activity

            People

              stoty Istvan Toth
              stoty Istvan Toth
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: