Repository: hbase Updated Branches: refs/heads/master 296383c93 -> 4b0efe551
HBASE-12708 Document newly introduced params for using Thrift-over-HTTPS. <Srikanth Srungarapu> Project: http://git-wip-us.apache.org/repos/asf/hbase/repo Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/4b0efe55 Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/4b0efe55 Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/4b0efe55 Branch: refs/heads/master Commit: 4b0efe5515e6ec78bcf05c31cded16e831aef0dc Parents: 296383c Author: Misty Stanley-Jones <[email protected]> Authored: Wed Jan 14 20:35:21 2015 -0800 Committer: Misty Stanley-Jones <[email protected]> Committed: Wed Jan 14 20:36:56 2015 -0800 ---------------------------------------------------------------------- src/main/asciidoc/_chapters/security.adoc | 39 ++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hbase/blob/4b0efe55/src/main/asciidoc/_chapters/security.adoc ---------------------------------------------------------------------- diff --git a/src/main/asciidoc/_chapters/security.adoc b/src/main/asciidoc/_chapters/security.adoc index f265c99..5b4e262 100644 --- a/src/main/asciidoc/_chapters/security.adoc +++ b/src/main/asciidoc/_chapters/security.adoc @@ -214,6 +214,45 @@ To enable it, do the following. To stop Thrift on a node, run the command +bin/hbase-daemon.sh stop thrift+. To start Thrift on a node, run the command +bin/hbase-daemon.sh start thrift+. +[[security.gateway.thrift.doas]] +=== Configure the Thrift Gateway to Use the `doAs` Feature + +<<security.gateway.thrift>> describes how to configure the Thrift gateway to authenticate to HBase on the client's behalf, and to access HBase using a proxy user. The limitation of this approach is that after the client is initialized with a particular set of credentials, it cannot change these credentials during the session session. The `doAs` feature provides a flexible way to impersonate multiple principals using the same client. This feature was implemented in link:https://issues.apache.org/jira/browse/HBASE-12640[HBASE-12640] for Thrift 1, but is currently not available for Thrift 2. + +*To allow proxy users*, add the following to the _hbase-site.xml_ file for every HBase node: + +[source,xml] +---- +<property> + <name>hadoop.security.authorization</name> + <value>true</value> +</property> +<property> + <name>hadoop.proxyuser.$USER.groups</name> + <value>$GROUPS</value> +</property> +<property> + <name>hadoop.proxyuser.$USER.hosts</name> + <value>$GROUPS</value> +</property> +---- + +*To enable the `doAs` feature*, add the following to the _hbase-site.xml_ file for every Thrift gateway: + +[source,xml] +---- +<property> + <name>hbase.regionserver.thrift.http</name> + <value>true</value> +</property> +<property> + <name>hbase.thrift.support.proxyuser</name> + <value>true/value> +</property> +---- + +Take a look at the link:https://github.com/apache/hbase/blob/master/hbase-examples/src/main/java/org/apache/hadoop/hbase/thrift/HttpDoAsClient.java[demo client] to get an overall idea of how to use this feature in your client. + === Client-side Configuration for Secure Operation - REST Gateway Add the following to the [code]+hbase-site.xml+ file for every REST gateway:
