[
https://issues.apache.org/jira/browse/HBASE-14700?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Gary Helmling updated HBASE-14700:
----------------------------------
Description:
When implementing HBase security for an existing cluster, it can be useful to
support mixed secure and insecure clients while all client configurations are
migrated over to secure authentication.
We currently have an option to allow secure clients to fallback to simple auth
against insecure clusters. By providing an analogous setting for servers, we
would allow a phased rollout of security:
# First, security can be enabled on the cluster servers, with the "permissive"
mode enabled
# Clients can be converting to using secure authentication incrementally
# The server audit logs allow identification of clients still using simple auth
to connect
# Finally, when sufficient clients have been converted to secure operation, the
server-side "permissive" mode can be removed, allowing completely secure
operation.
Obviously with this enabled, there is no effective access control, but this
would still be a useful tool to enable a smooth operational rollout of
security. Permissive mode would of course be disabled by default. Enabling it
should provide a big scary warning in the logs on startup, and possibly be
flagged on relevant UIs.
was:
When implementing HBase security for an existing cluster, it can be useful to
support mixed secure and insecure clients while all client configurations are
migrated over to secure authentication.
We currently have an option to allow secure clients to fallback to simple auth
against insecure clusters. By providing an analogous setting for servers, we
would allow a phased rollout of security:
#. First, security can be enabled on the cluster servers, with the "permissive"
mode enabled
#. Clients can be converting to using secure authentication incrementally
#. The server audit logs allow identification of clients still using simple
auth to connect
#. Finally, when sufficient clients have been converted to secure operation,
the server-side "permissive" mode can be removed, allowing completely secure
operation.
Obviously with this enabled, there is no effective access control, but this
would still be a useful tool to enable a smooth operational rollout of
security. Permissive mode would of course be disabled by default. Enabling it
should provide a big scary warning in the logs on startup, and possibly be
flagged on relevant UIs.
> Support a "permissive" mode for secure clusters to allow "simple" auth clients
> ------------------------------------------------------------------------------
>
> Key: HBASE-14700
> URL: https://issues.apache.org/jira/browse/HBASE-14700
> Project: HBase
> Issue Type: Improvement
> Components: security
> Reporter: Gary Helmling
> Assignee: Gary Helmling
>
> When implementing HBase security for an existing cluster, it can be useful to
> support mixed secure and insecure clients while all client configurations are
> migrated over to secure authentication.
> We currently have an option to allow secure clients to fallback to simple
> auth against insecure clusters. By providing an analogous setting for
> servers, we would allow a phased rollout of security:
> # First, security can be enabled on the cluster servers, with the
> "permissive" mode enabled
> # Clients can be converting to using secure authentication incrementally
> # The server audit logs allow identification of clients still using simple
> auth to connect
> # Finally, when sufficient clients have been converted to secure operation,
> the server-side "permissive" mode can be removed, allowing completely secure
> operation.
> Obviously with this enabled, there is no effective access control, but this
> would still be a useful tool to enable a smooth operational rollout of
> security. Permissive mode would of course be disabled by default. Enabling
> it should provide a big scary warning in the logs on startup, and possibly be
> flagged on relevant UIs.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
