[
https://issues.apache.org/jira/browse/HBASE-3615?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13006551#comment-13006551
]
Gary Helmling commented on HBASE-3615:
--------------------------------------
Ah, good catch on the protocol annotations! Yes, those definitely leak out the
secure Hadoop classes. The token auth stuff will be handling in a secure RPC
engine enabled via the pluggable RPC engines configuration. So the rest of the
implementation will be separated out from the standard HBaseClient/Server. We
can duplicate the annotation interfaces -- I'll look into the implications of
this for any lower level class dependencies.
For build, I'm thinking we have a separate optional build step (I guess
practically this means a separate maven module?) with an isolated dependency on
secure Hadoop. The module would separate out source code for the secure RPC
engine and AccessController coprocessor and generate a separate jar for these
two security products. (Both are already configured in via class names in
hbase-site.xml and use established interfaces to prevent any direct
dependencies from core HBase code). It sounds workable to me, but I'm too much
of a maven noob to anticipate how difficult it'll be.
I'd love to start working out the build details with people at the hackathon
next week. But any thoughts before then are definitely welcome.
> Implement token based DIGEST-MD5 authentication for MapReduce tasks
> -------------------------------------------------------------------
>
> Key: HBASE-3615
> URL: https://issues.apache.org/jira/browse/HBASE-3615
> Project: HBase
> Issue Type: New Feature
> Components: ipc, security
> Reporter: Gary Helmling
> Assignee: Gary Helmling
> Fix For: 0.92.0
>
>
> HBase security currently supports Kerberos authentication for clients, but
> this isn't sufficient for map-reduce interoperability, where tasks execute
> without Kerberos credentials. In order to fully interoperate with map-reduce
> clients, we will need to provide our own token authentication mechanism,
> mirroring the Hadoop token authentication mechanisms. This will require
> obtaining an HBase authentication token for the user when the job is
> submitted, serializing it to a secure location, and then, at task execution,
> having the client or task code de-serialize the stored authentication token
> and use that in the HBase client authentication process.
> A detailed implementation proposal is sketched out on the wiki:
> http://wiki.apache.org/hadoop/Hbase/HBaseTokenAuthentication
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
