Authentication for REST clients
-------------------------------
Key: HBASE-4100
URL: https://issues.apache.org/jira/browse/HBASE-4100
Project: HBase
Issue Type: Sub-task
Components: security
Reporter: Gary Helmling
Like Thrift, the REST gateway is not currently integrated into the
authentication used for HBase RPC. Currently this means the REST gateway
cannot even be used when HBase security is active.
For the REST gateway to be able to interoperate with HBase security:
# the REST server needs to be able to login from a keytab on startup with its
own server principal
# REST clients need to be able to authenticate security with the REST server
# the REST server needs to be able to act as a trusted proxy for the original
client identities, so that the HBase authorization checks can be performed
against the original client request
Like Thrift, implementing step #1 as a bare minimum would at least allow
deploying a REST server configured to login as the application user on startup.
Even without authenticating REST clients, this would allow the gateway to work
when HBase security is active.
For step #2, we can make use of SPNEGO to provide Kerberos/GSSAPI
authentication of clients over HTTP. The Alfredo library from Cloudera would
hopefully make this relatively easy to do:
http://cloudera.github.com/alfredo/docs/latest/index.html
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
