diff --git src/main/docbkx/security.xml src/main/docbkx/security.xml index 0e6ade0..30e738b 100644 --- src/main/docbkx/security.xml +++ src/main/docbkx/security.xml @@ -170,7 +170,8 @@ HTable table = new HTable(conf, tablename); Expect a ~10% performance penalty for encrypted communication. -
+ +
Client-side Configuration for Secure Operation - Thrift Gateway Add the following to the hbase-site.xml file for every Thrift gateway: @@ -186,7 +187,8 @@ HTable table = new HTable(conf, tablename); ]]> - Substitute the appropriate credential and keytab for $USER and $KEYTAB respectively. + Substitute the appropriate credential and keytab for $USER + and $KEYTAB respectively. In order to use the Thrift API principal to interact with HBase, it is also necessary to add the hbase.thrift.kerberos.principal to the _acl_ table. For example, to give the Thrift API principal, thrift_server, administrative @@ -201,7 +203,50 @@ grant 'thrift_server', 'RWCA' authentication will be performed by the Thrift gateway itself. All client access via the Thrift gateway will use the Thrift gateway's credential and have its privilege.
- +
+ Server-Side Authentication for Thrift + In addition to the client-side configuration described in , you can authenticate at the server side, using + impersonation. This was implemented in HBASE-11349 for + Thrift 1, and HBASE-11474 for Thrift 2. To enable it, do the following. + + + Be sure Thrift is running in secure mode, by following the procedure described in + . + + + Be sure that HBase is configured to allow proxy users, as described in . + + + In hbase-site.xml for each cluster node running a Thrift + gateway, set the property hbase.thrift.security.qop to one of the following + three values: + + + auth-conf - authentication, integrity, and confidentiality + checking + + + auth-int - authentication and integrity checking + + + auth - authentication checking only + + + + + Restart the Thrift gateway processes for the changes to take effect. If a node is + running Thrift, the output of the jps command will list a + ThriftServer process. To stop Thrift on a node, run the command + bin/hbase-daemon.sh stop thrift. To start Thrift on a node, run the + command bin/hbase-daemon.sh start thrift. + + +
+
Client-side Configuration for Secure Operation - REST Gateway Add the following to the hbase-site.xml file for every REST gateway: @@ -215,7 +260,8 @@ grant 'thrift_server', 'RWCA' $USER/_HOST@HADOOP.LOCALDOMAIN ]]> - Substitute the appropriate credential and keytab for $USER and $KEYTAB respectively. + Substitute the appropriate credential and keytab for $USER + and $KEYTAB respectively. The REST gateway will authenticate with HBase using the supplied credential. No authentication will be performed by the REST gateway itself. All client access via the REST gateway will use the REST gateway's credential and have its privilege. @@ -233,7 +279,7 @@ grant 'rest_server', 'RWCA'
-
+
REST Gateway Impersonation Configuration By default, the REST gateway doesn't support impersonation. It accesses the HBase on behalf of clients as the user configured as in the previous section. To the HBase server, diff --git src/main/docbkx/thrift_filter_language.xml src/main/docbkx/thrift_filter_language.xml index 9af2954..9044d1a 100644 --- src/main/docbkx/thrift_filter_language.xml +++ src/main/docbkx/thrift_filter_language.xml @@ -28,13 +28,14 @@ --> Thrift API and Filter Language - Apache Thrift is a cross-platform, cross-language - development framework. HBase includes a Thrift API and filter language. The Thrift API - relies on client and server processes. Documentation about the HBase Thrift API is located - at . The rest of this chapter - discusses the filter language provided by the Thrift API. + Apache Thrift is a cross-platform, + cross-language development framework. HBase includes a Thrift API and filter language. The + Thrift API relies on client and server processes. Documentation about the HBase Thrift API + is located at . + You can configure Thrift for secure authentication at the server and client side, by + following the procedures in and . + The rest of this chapter discusses the filter language provided by the Thrift API.
Filter Language