[
https://issues.apache.org/jira/browse/HBASE-10646?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13920370#comment-13920370
]
Andrew Purtell commented on HBASE-10646:
----------------------------------------
bq. Does "merging" the secure rpc into the normal rpc make sense – a
negotiation at connection time and a runtime variable that says requires or
doesn't require secure rpc
The other security features that depend on subject identity not being spoofed
won't provide any assurance unless strong authentication is in effect.
bq. Can we just have a single security == true or security == false config
property?
Yes I think that makes sense. It could enable the majority of features. It
could enable secure HBase RPC, set up ZooKeeper so we restrict internal znodes
with SASL ACLs, and trigger enumeration of security coprocessors to be loaded
as system coprocessors,
Specifically excluded should be the encrypting WAL writer. By its nature
encryption introduces latency, and on the WAL that lowers the ceiling on
systemwide write throughput. We can discuss this further on HBASE-10077 and
HBASE-10095 maybe.
> Enable security features by default for 1.0
> -------------------------------------------
>
> Key: HBASE-10646
> URL: https://issues.apache.org/jira/browse/HBASE-10646
> Project: HBase
> Issue Type: Task
> Affects Versions: 0.99.0
> Reporter: Andrew Purtell
> Assignee: Andrew Purtell
>
> As discussed in the last PMC meeting, we should enable security features by
> default in 1.0.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
