From c51e5e03adf6f54af28e4150c901d241e1668a68 Mon Sep 17 00:00:00 2001 From: Misty Stanley-Jones Date: Mon, 10 Aug 2015 09:54:42 +1000 Subject: [PATCH] HBASE-13425 Documentation nit in REST Gateway impersonation section --- src/main/asciidoc/_chapters/security.adoc | 32 ++++++++++++++++++------------- 1 file changed, 19 insertions(+), 13 deletions(-) diff --git a/src/main/asciidoc/_chapters/security.adoc b/src/main/asciidoc/_chapters/security.adoc index d63b701..c346435 100644 --- a/src/main/asciidoc/_chapters/security.adoc +++ b/src/main/asciidoc/_chapters/security.adoc @@ -236,39 +236,41 @@ To enable it, do the following. <> describes how to configure the Thrift gateway to authenticate to HBase on the client's behalf, and to access HBase using a proxy user. The limitation of this approach is that after the client is initialized with a particular set of credentials, it cannot change these credentials during the session. The `doAs` feature provides a flexible way to impersonate multiple principals using the same client. This feature was implemented in link:https://issues.apache.org/jira/browse/HBASE-12640[HBASE-12640] for Thrift 1, but is currently not available for Thrift 2. -*To allow proxy users*, add the following to the _hbase-site.xml_ file for every HBase node: +*To enable the `doAs` feature*, add the following to the _hbase-site.xml_ file for every Thrift gateway: [source,xml] ---- - hadoop.security.authorization + hbase.regionserver.thrift.http true - hadoop.proxyuser.$USER.groups - $GROUPS - - - hadoop.proxyuser.$USER.hosts - $GROUPS + hbase.thrift.support.proxyuser + true/value> ---- -*To enable the `doAs` feature*, add the following to the _hbase-site.xml_ file for every Thrift gateway: +*To allow proxy users* when using `doAs` impersonation, add the following to the _hbase-site.xml_ file for every HBase node: [source,xml] ---- - hbase.regionserver.thrift.http + hadoop.security.authorization true - hbase.thrift.support.proxyuser - true/value> + hadoop.proxyuser.$USER.groups + $GROUPS + + + hadoop.proxyuser.$USER.hosts + $GROUPS ---- -Take a look at the link:https://github.com/apache/hbase/blob/master/hbase-examples/src/main/java/org/apache/hadoop/hbase/thrift/HttpDoAsClient.java[demo client] to get an overall idea of how to use this feature in your client. +Take a look at the +link:https://github.com/apache/hbase/blob/master/hbase-examples/src/main/java/org/apache/hadoop/hbase/thrift/HttpDoAsClient.java[demo client] +to get an overall idea of how to use this feature in your client. === Client-side Configuration for Secure Operation - REST Gateway @@ -306,6 +308,10 @@ To enable REST gateway Kerberos authentication for client access, add the follow [source,xml] ---- + hbase.rest.support.proxyuser + true + + hbase.rest.authentication.type kerberos -- 2.5.4 (Apple Git-61)