[
https://issues.apache.org/jira/browse/HBASE-4099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13173897#comment-13173897
]
stack commented on HBASE-4099:
------------------------------
These have been committed?
> Authentication for ThriftServer clients
> ---------------------------------------
>
> Key: HBASE-4099
> URL: https://issues.apache.org/jira/browse/HBASE-4099
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Reporter: Gary Helmling
> Attachments: HBASE-4099.patch
>
>
> The current implementation of HBase client authentication only works with the
> Java API. Alternate access gateways, like Thrift and REST are left out and
> will not work.
> For the ThriftServer to be able to fully interoperate with the security
> implementation:
> # the ThriftServer should be able to login from a keytab file with it's own
> server principal on startup
> # thrift clients should be able to authenticate securely when connecting to
> the server
> # the ThriftServer should be able to act as a proxy for those clients so that
> the RPCs it issues will be correctly authorized as the original client
> identities
> There is already some support for step 3 in UserGroupInformation and related
> classes.
> For step #2, we really need to look at what thrift itself supports.
> At a bare minimum, we need to implement step #1. If we do this, even without
> steps 2 & 3, this would at least allow deployments to use a ThriftServer per
> application user, and have the server login as that user on startup. Thrift
> clients may not be directly authenticated, but authorization checks for HBase
> could still be handled correctly this way.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
