diff --git src/main/docbkx/security.xml src/main/docbkx/security.xml index 0e6ade0..ac25638 100644 --- src/main/docbkx/security.xml +++ src/main/docbkx/security.xml @@ -170,7 +170,8 @@ HTable table = new HTable(conf, tablename); Expect a ~10% performance penalty for encrypted communication. -
+ +
Client-side Configuration for Secure Operation - Thrift Gateway Add the following to the hbase-site.xml file for every Thrift gateway: @@ -186,7 +187,8 @@ HTable table = new HTable(conf, tablename); ]]> - Substitute the appropriate credential and keytab for $USER and $KEYTAB respectively. + Substitute the appropriate credential and keytab for $USER + and $KEYTAB respectively. In order to use the Thrift API principal to interact with HBase, it is also necessary to add the hbase.thrift.kerberos.principal to the _acl_ table. For example, to give the Thrift API principal, thrift_server, administrative @@ -201,7 +203,57 @@ grant 'thrift_server', 'RWCA' authentication will be performed by the Thrift gateway itself. All client access via the Thrift gateway will use the Thrift gateway's credential and have its privilege.
- +
+ Configure the Thrift Gateway to Authenticate on Behalf of the Client + describes how to authenticate a Thrift client + to HBase using a fixed user. As an alternative, you can configure the Thrift gateway to + authenticate to HBase on the client's behalf, and to access HBase using a proxy user. This + was implemented in HBASE-11349 for Thrift 1, and HBASE-11474 for + Thrift 2. + + Limitations with Thrift Framed Transport + If you use framed transport, you cannot yet take advantage of this feature, because + SASL does not work with Thrift framed transport at this time. + + To enable it, do the following. + + + Be sure Thrift is running in secure mode, by following the procedure described in + . + + + Be sure that HBase is configured to allow proxy users, as described in . + + + In hbase-site.xml for each cluster node running a Thrift + gateway, set the property hbase.thrift.security.qop to one of the following + three values: + + + auth-conf - authentication, integrity, and confidentiality + checking + + + auth-int - authentication and integrity checking + + + auth - authentication checking only + + + + + Restart the Thrift gateway processes for the changes to take effect. If a node is + running Thrift, the output of the jps command will list a + ThriftServer process. To stop Thrift on a node, run the command + bin/hbase-daemon.sh stop thrift. To start Thrift on a node, run the + command bin/hbase-daemon.sh start thrift. + + +
+
Client-side Configuration for Secure Operation - REST Gateway Add the following to the hbase-site.xml file for every REST gateway: @@ -215,7 +267,8 @@ grant 'thrift_server', 'RWCA' $USER/_HOST@HADOOP.LOCALDOMAIN ]]> - Substitute the appropriate credential and keytab for $USER and $KEYTAB respectively. + Substitute the appropriate credential and keytab for $USER + and $KEYTAB respectively. The REST gateway will authenticate with HBase using the supplied credential. No authentication will be performed by the REST gateway itself. All client access via the REST gateway will use the REST gateway's credential and have its privilege. @@ -233,7 +286,7 @@ grant 'rest_server', 'RWCA'
-
+
REST Gateway Impersonation Configuration By default, the REST gateway doesn't support impersonation. It accesses the HBase on behalf of clients as the user configured as in the previous section. To the HBase server, diff --git src/main/docbkx/thrift_filter_language.xml src/main/docbkx/thrift_filter_language.xml index 9af2954..a0535a4 100644 --- src/main/docbkx/thrift_filter_language.xml +++ src/main/docbkx/thrift_filter_language.xml @@ -28,13 +28,14 @@ --> Thrift API and Filter Language - Apache Thrift is a cross-platform, cross-language - development framework. HBase includes a Thrift API and filter language. The Thrift API - relies on client and server processes. Documentation about the HBase Thrift API is located - at . The rest of this chapter - discusses the filter language provided by the Thrift API. + Apache Thrift is a cross-platform, + cross-language development framework. HBase includes a Thrift API and filter language. The + Thrift API relies on client and server processes. Documentation about the HBase Thrift API + is located at . + You can configure Thrift for secure authentication at the server and client side, by + following the procedures in and . + The rest of this chapter discusses the filter language provided by the Thrift API.
Filter Language