[ https://issues.apache.org/jira/browse/HBASE-8662?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13687041#comment-13687041 ]
Francis Liu commented on HBASE-8662: ------------------------------------ Jimmy, took a quick look at the patch. I have some concerns: - The usage of KerberosAuthenticationHandler directly instead of via AuthenticationFilter throws a way the pluggability feature of the hadoop auth framework. Which some users may need to provide support for their existing security infrastructure (ie us). - Creating context for each user so they have their own connection pool seems clunky and inefficient especially when you put a group of servers behind a load balancer. Adding more state and complexity into the code doesn't help either. We've also been working on adding these features into stargate but were planning on releasing a patch after QA cycle is complete. I'm attaching an 0.94 patch for reference. The patch contains: 1. Usage of the auth framework to support plugability 2. Support for SSL 3. Added a wrapper servlet to impersonate a user. 4. Patched the RPC layer to support per request proxy users. This was done in a backward compatible way. This should be even easier to do with PB trunk. As a side-effect of #4 I managed to fix a bug where the protocol version is verified for each request which should no longer be the case for VersionedProtocol. This is how to configure kerberos auth: <property> <name>hbase.rest.authentication.kerberos.principal</name> <value>HTTP/_HOST@DOMAIN</value> </property> <property> <name>hbase.rest.authentication.kerberos.keytab</name> <value>http.dev.service.keytab</value> </property> <property> <name>hbase.rest.authentication.type</name> <value>kerberos</value> </property> > [rest] support impersonation > ---------------------------- > > Key: HBASE-8662 > URL: https://issues.apache.org/jira/browse/HBASE-8662 > Project: HBase > Issue Type: Sub-task > Components: REST, security > Reporter: Jimmy Xiang > Assignee: Jimmy Xiang > Fix For: 0.98.0 > > Attachments: trunk-8662.patch, trunk-8662_v2.patch > > > Currently, our client API uses a fixed user: the current user. It should > accept a user passed in, if authenticated. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira