[ https://issues.apache.org/jira/browse/HBASE-4100?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Gary Helmling resolved HBASE-4100. ---------------------------------- Resolution: Duplicate Assignee: stack Change was applied as part of HBASE-5062 by stack. > Authentication for REST clients > ------------------------------- > > Key: HBASE-4100 > URL: https://issues.apache.org/jira/browse/HBASE-4100 > Project: HBase > Issue Type: Sub-task > Components: security > Reporter: Gary Helmling > Assignee: stack > Attachments: HBASE-4100.patch > > > Like Thrift, the REST gateway is not currently integrated into the > authentication used for HBase RPC. Currently this means the REST gateway > cannot even be used when HBase security is active. > For the REST gateway to be able to interoperate with HBase security: > # the REST server needs to be able to login from a keytab on startup with its > own server principal > # REST clients need to be able to authenticate security with the REST server > # the REST server needs to be able to act as a trusted proxy for the original > client identities, so that the HBase authorization checks can be performed > against the original client request > Like Thrift, implementing step #1 as a bare minimum would at least allow > deploying a REST server configured to login as the application user on > startup. Even without authenticating REST clients, this would allow the > gateway to work when HBase security is active. > For step #2, we can make use of SPNEGO to provide Kerberos/GSSAPI > authentication of clients over HTTP. The Alfredo library from Cloudera would > hopefully make this relatively easy to do: > http://cloudera.github.com/alfredo/docs/latest/index.html -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira