[
https://issues.apache.org/jira/browse/HBASE-4100?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13112167#comment-13112167
]
Andrew Purtell commented on HBASE-4100:
---------------------------------------
+1
> Authentication for REST clients
> -------------------------------
>
> Key: HBASE-4100
> URL: https://issues.apache.org/jira/browse/HBASE-4100
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Reporter: Gary Helmling
> Attachments: HBASE-4100.patch
>
>
> Like Thrift, the REST gateway is not currently integrated into the
> authentication used for HBase RPC. Currently this means the REST gateway
> cannot even be used when HBase security is active.
> For the REST gateway to be able to interoperate with HBase security:
> # the REST server needs to be able to login from a keytab on startup with its
> own server principal
> # REST clients need to be able to authenticate security with the REST server
> # the REST server needs to be able to act as a trusted proxy for the original
> client identities, so that the HBase authorization checks can be performed
> against the original client request
> Like Thrift, implementing step #1 as a bare minimum would at least allow
> deploying a REST server configured to login as the application user on
> startup. Even without authenticating REST clients, this would allow the
> gateway to work when HBase security is active.
> For step #2, we can make use of SPNEGO to provide Kerberos/GSSAPI
> authentication of clients over HTTP. The Alfredo library from Cloudera would
> hopefully make this relatively easy to do:
> http://cloudera.github.com/alfredo/docs/latest/index.html
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
