[HBASE-4100] Authentication for REST clients - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Sub-task
Status: Closed
Priority: Major
Resolution: Duplicate
Affects Version/s: None
Fix Version/s: None
Component/s: security
Labels:
None

Description

Like Thrift, the REST gateway is not currently integrated into the authentication used for HBase RPC. Currently this means the REST gateway cannot even be used when HBase security is active.

For the REST gateway to be able to interoperate with HBase security:

the REST server needs to be able to login from a keytab on startup with its own server principal
REST clients need to be able to authenticate security with the REST server
the REST server needs to be able to act as a trusted proxy for the original client identities, so that the HBase authorization checks can be performed against the original client request

Like Thrift, implementing step #1 as a bare minimum would at least allow deploying a REST server configured to login as the application user on startup. Even without authenticating REST clients, this would allow the gateway to work when HBase security is active.

For step #2, we can make use of SPNEGO to provide Kerberos/GSSAPI authentication of clients over HTTP. The Alfredo library from Cloudera would hopefully make this relatively easy to do:
http://cloudera.github.com/alfredo/docs/latest/index.html

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

HBASE-4100.patch
21/Sep/11 21:20
3 kB
Gary Helmling

Issue Links

duplicates

HBASE-5062 Missing logons if security is enabled

Closed

Activity

People

Assignee:: Unassigned

Reporter:: Gary Helmling

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 14/Jul/11 18:06

Updated:: 12/Jun/22 19:04

Resolved:: 31/Aug/12 16:46