Uploaded image for project: 'HBase'
  1. HBase
  2. HBASE-1697 Discretionary access control
  3. HBASE-4099

Authentication for ThriftServer clients



    • Type: Sub-task
    • Status: Resolved
    • Priority: Major
    • Resolution: Duplicate
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: security
    • Labels:


      The current implementation of HBase client authentication only works with the Java API. Alternate access gateways, like Thrift and REST are left out and will not work.

      For the ThriftServer to be able to fully interoperate with the security implementation:

      1. the ThriftServer should be able to login from a keytab file with it's own server principal on startup
      2. thrift clients should be able to authenticate securely when connecting to the server
      3. the ThriftServer should be able to act as a proxy for those clients so that the RPCs it issues will be correctly authorized as the original client identities

      There is already some support for step 3 in UserGroupInformation and related classes.

      For step #2, we really need to look at what thrift itself supports.

      At a bare minimum, we need to implement step #1. If we do this, even without steps 2 & 3, this would at least allow deployments to use a ThriftServer per application user, and have the server login as that user on startup. Thrift clients may not be directly authenticated, but authorization checks for HBase could still be handled correctly this way.


        1. HBASE-4099.patch
          4 kB
          Gary Helmling

          Issue Links



              • Assignee:
                stack Michael Stack
                ghelmling Gary Helmling
              • Votes:
                0 Vote for this issue
                2 Start watching this issue


                • Created: