[jira] [Commented] (HBASE-4817) Simplify configuration of security components

Fri, 10 Apr 2015 17:57:07 -0700 

    [ 
https://issues.apache.org/jira/browse/HBASE-4817?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14490657#comment-14490657
 ] 

Andrew Purtell commented on HBASE-4817:
---------------------------------------

Want to revisit [~ghelmling]? [~jerryhe] ?

> Simplify configuration of security components
> ---------------------------------------------
>
>                 Key: HBASE-4817
>                 URL: https://issues.apache.org/jira/browse/HBASE-4817
>             Project: HBase
>          Issue Type: Improvement
>          Components: security
>            Reporter: Gary Helmling
>
> The HBase security features were built to be optionally loadable, when 
> desired, and it shows through in the complexity of configuring security for 
> operation.
> In addition to the baseline configuration required for process keytab files 
> and server principals, the following properties need to be set to enable 
> security:
> {code}
> <property>
>  <name>hbase.security.authentication</name>
>  <value>kerberos</value>
> </property>
> <property>
>  <name>hbase.coprocessor.master.classes</name>
>  <value>org.apache.hadoop.hbase.security.access.AccessController</value>
> </property>
> <property>
>  <name>hbase.coprocessor.region.classes</name>
>  
> <value>org.apache.hadoop.hbase.security.access.AccessController,org.apache.hadoop.hbase.security.token.TokenProvider</value>
> </property>
> <property>
>  <name>hbase.rpc.engine</name>
>  <value>org.apache.hadoop.hbase.ipc.SecureRpcEngine</value>
> </property>
> <property>
>  <name>hbase.zookeeper.property.authProvider.1</name>
>  <value>org.apache.zookeeper.server.auth.SASLAuthenticationProvider</value>
> </property>
> {code}
> We should be able to simplify this and automatically setup the underlying 
> code components (required coprocessors, SecureRpcEngine) when some high level 
> security flags are set.
> For authentication and authorization, I'd like narrow it down to two simple 
> configuration properties.  When set, these would trigger automatic 
> configuration of the required coprocessors/RpcEngine:
> * {{hbase.security.authentication}} - when set to {{kerberos}}, this would 
> automatically:
> ** set {{hbase.rpc.engine=org.apache.hadoop.hbase.ipc.SecureRpcEngine}}
> ** add {{org.apache.hadoop.hbase.security.token.TokenProvider}} to the 
> configuration for {{hbase.coprocessor.region.classes}}
> ** possibly also set 
> {{hbase.zookeeper.property.authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider}}
>  for zookeeper?
> * {{hbase.security.authorization}} - when set to {{true}}, this would 
> automatically:
> ** add {{org.apache.hadoop.hbase.security.access.AccessController}} to the 
> configuration for both {{hbase.coprocessor.master.classes}} and 
> {{hbase.coprocessor.region.classes}}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to