[ https://issues.apache.org/jira/browse/HBASE-2016?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13817740#comment-13817740 ]
Andrew Purtell commented on HBASE-2016: --------------------------------------- bq. Various ecosystem services like Hive or Oozie do support impersonation of end users, thus bypassing that, and allow end users to be authenticated via pluggable authentication (which may authenticate users against ldap, mysql database and such). But for HBase Shell there's no impersonation possible as of now Hive or Oozie impersonate by utilizing a service process registered with the NN in the NN config to be afforded the elevated privilege of impersonation, and then they do their own thing. The HBase shell is a regular HBase client wrapped with an HBase DSL within the JRuby IRB, which could run anywhere, and cannot be trusted in that way. If I understand correctly, what you could use is some kind of "administration server" which would reside at a fixed location and could be trusted to impersonate, and then the shell could be modified to proxy administrative commands through it. - Yes? > [DAC] Authentication > -------------------- > > Key: HBASE-2016 > URL: https://issues.apache.org/jira/browse/HBASE-2016 > Project: HBase > Issue Type: Sub-task > Components: security > Reporter: Andrew Purtell > Assignee: Gary Helmling > > Follow what Hadoop is doing. Authentication via JAAS: > http://issues.apache.org/jira/browse/HADOOP-6299 > > http://java.sun.com/javase/6/docs/technotes/guides/security/jaas/JAASRefGuide.html > Should support Kerberos, Unix, and LDAP authentication options. > Integrate with authentication mechanisms for IPC and HDFS. -- This message was sent by Atlassian JIRA (v6.1#6144)