Add Kerberos HTTP SPNEGO authentication support to HBase web consoles
---------------------------------------------------------------------
Key: HBASE-5291
URL: https://issues.apache.org/jira/browse/HBASE-5291
Project: HBase
Issue Type: Improvement
Components: master, regionserver, security
Reporter: Andrew Purtell
Like HADOOP-7119, the same motivations:
{quote}
Hadoop RPC already supports Kerberos authentication.
{quote}
As does the HBase secure RPC engine.
{quote}
Kerberos enables single sign-on.
Popular browsers (Firefox and Internet Explorer) have support for Kerberos HTTP
SPNEGO.
Adding support for Kerberos HTTP SPNEGO to [HBase] web consoles would provide a
unified authentication mechanism and single sign-on for web UI and RPC.
{quote}
Also like HADOOP-7119, the same solution:
A servlet filter is configured in front of all Hadoop web consoles for
authentication.
This filter verifies if the incoming request is already authenticated by the
presence of a signed HTTP cookie. If the cookie is present, its signature is
valid and its value didn't expire; then the request continues its way to the
page invoked by the request. If the cookie is not present, it is invalid or it
expired; then the request is delegated to an authenticator handler. The
authenticator handler then is responsible for requesting/validating the
user-agent for the user credentials. This may require one or more additional
interactions between the authenticator handler and the user-agent (which will
be multiple HTTP requests). Once the authenticator handler verifies the
credentials and generates an authentication token, a signed cookie is returned
to the user-agent for all subsequent invocations.
The authenticator handler is pluggable and 2 implementations are provided out
of the box: pseudo/simple and kerberos.
1. The pseudo/simple authenticator handler is equivalent to the Hadoop
pseudo/simple authentication. It trusts the value of the user.name query string
parameter. The pseudo/simple authenticator handler supports an anonymous mode
which accepts any request without requiring the user.name query string
parameter to create the token. This is the default behavior, preserving the
behavior of the HBase web consoles before this patch.
2. The kerberos authenticator handler implements the Kerberos HTTP SPNEGO
implementation. This authenticator handler will generate a token only if a
successful Kerberos HTTP SPNEGO interaction is performed between the user-agent
and the authenticator. Browsers like Firefox and Internet Explorer support
Kerberos HTTP SPNEGO.
We can build on the support added to Hadoop via HADOOP-7119. Should just be a
matter of wiring up the filter to our infoservers in a similar manner.
And from
https://issues.apache.org/jira/browse/HBASE-5050?focusedCommentId=13171086&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13171086
{quote}
Hadoop 0.23 onwards has a hadoop-auth artifact that provides SPNEGO/Kerberos
authentication for webapps via a filter. You should consider using it. You
don't have to move Hbase to 0.23 for that, just consume the hadoop-auth
artifact, which has no dependencies on the rest of Hadoop 0.23 artifacts.
{quote}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
