[jira] [Commented] (HBASE-8662) [rest] support impersonation

Tue, 18 Jun 2013 11:31:43 -0700 

    [ 
https://issues.apache.org/jira/browse/HBASE-8662?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13687041#comment-13687041
 ] 

Francis Liu commented on HBASE-8662:
------------------------------------

Jimmy, took a quick look at the patch. I have some concerns:

- The usage of KerberosAuthenticationHandler directly instead of via 
AuthenticationFilter throws a way the pluggability feature of the hadoop auth 
framework. Which some users may need to provide support for their existing 
security infrastructure (ie us). 
- Creating context for each user so they have their own connection pool seems 
clunky and inefficient especially when you put a group of servers behind a load 
balancer. Adding more state and complexity into the code doesn't help either. 

We've also been working on adding these features into stargate but were 
planning on releasing a patch after QA cycle is complete. I'm attaching an 0.94 
patch for reference. The patch contains:

1. Usage of the auth framework to support plugability
2. Support for SSL
3. Added a wrapper servlet to impersonate a user.
4. Patched the RPC layer to support per request proxy users. This was done in a 
backward compatible way. This should be even easier to do with PB trunk.

As a side-effect of #4 I managed to fix a bug where the protocol version is 
verified for each request which should no longer be the case for 
VersionedProtocol.

This is how to configure kerberos auth:

  <property>
    <name>hbase.rest.authentication.kerberos.principal</name>
    <value>HTTP/_HOST@DOMAIN</value>
  </property>
  <property>
    <name>hbase.rest.authentication.kerberos.keytab</name>
    <value>http.dev.service.keytab</value>
  </property>
  <property>
    <name>hbase.rest.authentication.type</name>
    <value>kerberos</value>
  </property>






                
> [rest] support impersonation
> ----------------------------
>
>                 Key: HBASE-8662
>                 URL: https://issues.apache.org/jira/browse/HBASE-8662
>             Project: HBase
>          Issue Type: Sub-task
>          Components: REST, security
>            Reporter: Jimmy Xiang
>            Assignee: Jimmy Xiang
>             Fix For: 0.98.0
>
>         Attachments: trunk-8662.patch, trunk-8662_v2.patch
>
>
> Currently, our client API uses a fixed user: the current user. It should 
> accept a user passed in, if authenticated.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to