[jira] [Updated] (HBASE-4100) Authentication for REST clients

Wed, 21 Sep 2011 14:21:34 -0700 

     [ 
https://issues.apache.org/jira/browse/HBASE-4100?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Gary Helmling updated HBASE-4100:
---------------------------------

    Attachment: HBASE-4100.patch

This patch implements step #1 for the REST server, allowing it to login from a 
keytab file on startup.  The patch depends on a new method in the Strings class 
added in HBASE-4099.

Like the HBASE-4099 patch, this change is necessary for a REST server to work 
correctly with the SecureRpcEngine from HBASE-2742, when using Kerberos 
authentication.

> Authentication for REST clients
> -------------------------------
>
>                 Key: HBASE-4100
>                 URL: https://issues.apache.org/jira/browse/HBASE-4100
>             Project: HBase
>          Issue Type: Sub-task
>          Components: security
>            Reporter: Gary Helmling
>         Attachments: HBASE-4100.patch
>
>
> Like Thrift, the REST gateway is not currently integrated into the 
> authentication used for HBase RPC.  Currently this means the REST gateway 
> cannot even be used when HBase security is active.
> For the REST gateway to be able to interoperate with HBase security:
> # the REST server needs to be able to login from a keytab on startup with its 
> own server principal
> # REST clients need to be able to authenticate security with the REST server
> # the REST server needs to be able to act as a trusted proxy for the original 
> client identities, so that the HBase authorization checks can be performed 
> against the original client request
> Like Thrift, implementing step #1 as a bare minimum would at least allow 
> deploying a REST server configured to login as the application user on 
> startup.  Even without authenticating REST clients, this would allow the 
> gateway to work when HBase security is active.
> For step #2, we can make use of SPNEGO to provide Kerberos/GSSAPI 
> authentication of clients over HTTP.  The Alfredo library from Cloudera would 
> hopefully make this relatively easy to do:
> http://cloudera.github.com/alfredo/docs/latest/index.html

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to