[jira] [Updated] (HBASE-3615) Implement token based DIGEST-MD5 authentication for MapReduce tasks

Tue, 22 Mar 2011 12:39:45 -0700 

     [ 
https://issues.apache.org/jira/browse/HBASE-3615?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Gary Helmling updated HBASE-3615:
---------------------------------

    Attachment: HBASE-3615.patch

Attaching a diff from the security branch 
(https://github.com/trendmicro/hbase/tree/security) implementing authentication 
tokens.  This builds on top of the secure RPC layer already in place 
(org.apache.hadoop.hbase.ipc.SecureClient, SecureRpcEngine, SecureServer), so 
sorry if changes to those are out of context.  If you'd like to see a fuller 
patch with those included, just ask.

You can ignore the changes to HBaseClient and HBaseServer.  Those are mostly 
fixes for subclassing of those by the secure RPC classes.

Most relevant will be the classes in org.apache.hadoop.hbase.security.token, 
annotation changes for RPC interfaces, and hooks in 
org.apache.hadoop.hbase.security.User and TableMapReduceUtil to obtain tokens.

> Implement token based DIGEST-MD5 authentication for MapReduce tasks
> -------------------------------------------------------------------
>
>                 Key: HBASE-3615
>                 URL: https://issues.apache.org/jira/browse/HBASE-3615
>             Project: HBase
>          Issue Type: New Feature
>          Components: ipc, security
>            Reporter: Gary Helmling
>            Assignee: Gary Helmling
>             Fix For: 0.92.0
>
>         Attachments: HBASE-3615.patch
>
>
> HBase security currently supports Kerberos authentication for clients, but 
> this isn't sufficient for map-reduce interoperability, where tasks execute 
> without Kerberos credentials.  In order to fully interoperate with map-reduce 
> clients, we will need to provide our own token authentication mechanism, 
> mirroring the Hadoop token authentication mechanisms.  This will require 
> obtaining an HBase authentication token for the user when the job is 
> submitted, serializing it to a secure location, and then, at task execution, 
> having the client or task code de-serialize the stored authentication token 
> and use that in the HBase client authentication process.
> A detailed implementation proposal is sketched out on the wiki:
> http://wiki.apache.org/hadoop/Hbase/HBaseTokenAuthentication

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to