[jira] [Commented] (HBASE-9482) Do not enforce secure Hadoop for secure HBase

[Aditya Kishore (JIRA)]

    [ 
https://issues.apache.org/jira/browse/HBASE-9482?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13763979#comment-13763979
 ] 

Aditya Kishore commented on HBASE-9482:
---------------------------------------

Thanks [~stack]! And thanks [~ghelmling] for reviewing.
                
> Do not enforce secure Hadoop for secure HBase
> ---------------------------------------------
>
>                 Key: HBASE-9482
>                 URL: https://issues.apache.org/jira/browse/HBASE-9482
>             Project: HBase
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 0.95.2, 0.94.11
>            Reporter: Aditya Kishore
>            Assignee: Aditya Kishore
>              Labels: security
>             Fix For: 0.98.0, 0.96.0
>
>         Attachments: HBASE-9482-0.94.patch, HBASE-9482-0.94.patch, 
> HBASE-9482-0.94.patch, HBASE-9482.patch, HBASE-9482.patch, HBASE-9482.patch, 
> HBASE-9482.patch
>
>
> We should recommend and not enforce secure Hadoop underneath as a requirement 
> to run secure HBase.
> Few of our customers have HBase clusters which expose only HBase services to 
> outside the physical network and no other services (including ssh) are 
> accessible from outside of such cluster.
> However they are forced to setup secure Hadoop and incur the penalty of 
> security overhead at filesystem layer even if they do not need to.
> The following code tests for both secure HBase and secure Hadoop.
> {code:title=org.apache.hadoop.hbase.security.User|borderStyle=solid}
>   /**
>    * Returns whether or not secure authentication is enabled for HBase.  Note 
> that
>    * HBase security requires HDFS security to provide any guarantees, so this 
> requires that
>    * both <code>hbase.security.authentication</code> and 
> <code>hadoop.security.authentication</code>
>    * are set to <code>kerberos</code>.
>    */
>   public static boolean isHBaseSecurityEnabled(Configuration conf) {
>     return "kerberos".equalsIgnoreCase(conf.get(HBASE_SECURITY_CONF_KEY)) &&
>         "kerberos".equalsIgnoreCase(
>             conf.get(CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION));
>   }
> {code}
> What is worse that if {{"hadoop.security.authentication"}} is not set to 
> {{"kerberos"}} (undocumented at http://hbase.apache.org/book/security.html), 
> all other configuration have no impact and HBase RPCs silently switch back to 
> unsecured mode.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira