Josh Elser created HBASE-23347:
----------------------------------
Summary: Pluggable RPC authentication
Key: HBASE-23347
URL: https://issues.apache.org/jira/browse/HBASE-23347
Project: HBase
Issue Type: Improvement
Components: rpc, security
Reporter: Josh Elser
Assignee: Josh Elser
Fix For: 3.0.0
Today in HBase, we rely on SASL to implement Kerberos and delegation token
authentication. The RPC client and server logic is very tightly coupled to our
three authentication mechanism (the previously two mentioned plus simple
auth'n) for no good reason (other than "that's how it was built", best as I can
tell).
SASL's function is to decouple the "application" from how a request is being
authenticated, which means that, to support a variety of other authentication
approaches, we just need to be a little more flexible in letting developers
create their own authentication mechanism for HBase.
This is less for the "average joe" user to write their own authentication
plugin (eek), but more to allow us HBase developers to start iterating, see
what is possible.
I'll attach a full write-up on what I have today as to how I think we can add
these abstractions, as well as an initial implementation of this idea, with a
unit test that shows an end-to-end authentication solution against HBase.
cc/ [~wchevreuil] as he's been working with me behind the scenes, giving lots
of great feedback and support.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
