[
https://issues.apache.org/jira/browse/HBASE-2016?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13817740#comment-13817740
]
Andrew Purtell commented on HBASE-2016:
---------------------------------------
bq. Various ecosystem services like Hive or Oozie do support impersonation of
end users, thus bypassing that, and allow end users to be authenticated via
pluggable authentication (which may authenticate users against ldap, mysql
database and such). But for HBase Shell there's no impersonation possible as of
now
Hive or Oozie impersonate by utilizing a service process registered with the NN
in the NN config to be afforded the elevated privilege of impersonation, and
then they do their own thing. The HBase shell is a regular HBase client wrapped
with an HBase DSL within the JRuby IRB, which could run anywhere, and cannot be
trusted in that way. If I understand correctly, what you could use is some kind
of "administration server" which would reside at a fixed location and could be
trusted to impersonate, and then the shell could be modified to proxy
administrative commands through it. - Yes?
> [DAC] Authentication
> --------------------
>
> Key: HBASE-2016
> URL: https://issues.apache.org/jira/browse/HBASE-2016
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Reporter: Andrew Purtell
> Assignee: Gary Helmling
>
> Follow what Hadoop is doing. Authentication via JAAS:
> http://issues.apache.org/jira/browse/HADOOP-6299
>
> http://java.sun.com/javase/6/docs/technotes/guides/security/jaas/JAASRefGuide.html
> Should support Kerberos, Unix, and LDAP authentication options.
> Integrate with authentication mechanisms for IPC and HDFS.
--
This message was sent by Atlassian JIRA
(v6.1#6144)
