> > how to use or config the custom authentication ? > Assuming your authentication solution implements properly the key interfaces *SaslServerAuthenticationProvider*, *SaslClientAuthenticationProvider* and *BuiltInProviderSelector*, you need to specify each of these implementations on the *hbase.client.sasl.provider.class*, *hbase.client.sasl.provider.extras* and *hbase.server.sasl.provider.extras* you had mentioned. These must be set on both client and server side, so your custom classes must be present on both client and server classpaths.
I check the test code ,why we need setUp kerberos first? > Hbase security here means an authentication system is set. Right now, hbase only supports kerberos as an authentication mechanism. So the RPC sub-system would only apply any of its authentication checks if security is enabled, and by that we mean *hbase.security.authentication *is set to *kerberos.* > if i add a extras but the client use simple > > the auth can be by pass > This would only happen if you had explicitly set *hbase.ipc.server.fallback-to-simple-auth-allowed* property to *true* on the server configuration. what i missed? > Can you share both your client and server configs? Do you see any suggestive messages on client/server logs (TRACE level might be helpful here)? Would it be feasible for you to share your implementations of *SaslServerAuthenticationProvider*, *SaslClientAuthenticationProvider* and *BuiltInProviderSelector *(I understand this might not be desirable, maybe just some snippets of specific method implementation here)? For instance, both Server and Client provider implementations should return the very same type in getTokenKind() method implementation. Em seg., 27 de abr. de 2020 às 05:59, 陈叶超 <[email protected]> escreveu: > Hi all: > > in https://issues.apache.org/jira/browse/HBASE-23347 introduce a puuggable > rpc authentication > > https://github.com/apache/hbase/pull/884 > > I want to use this pr to create a custom auth > > how to use or config the custom authentication ? > > I check the test code ,why we need setUp kerberos first? > > and seems server offer three simple/gss/ Digest and extras auth* > > if i add a extras but the client use simple > > the auth can be by pass > > now i just set three properties : > > hbase.client.sasl.provider.class > > hbase.client.sasl.provider.extras > > hbase.server.sasl.provider.extras > > what i missed? > > I check the code > > in ServerRpcConnection.java > > > ```java > //from me: if client pass the simple authbyte? we just use simple??? > this.provider = this.saslProviders.selectProvider(authbyte); > if (this.provider == null) { > String msg = getFatalConnectionString(version, authbyte); > doBadPreambleHandling(msg, new BadAuthException(msg)); > return false; > } > //from me : don't understand here > // TODO this is a wart while simple auth'n doesn't go through sasl. > if (this.rpcServer.isSecurityEnabled && isSimpleAuthentication()) { > if (this.rpcServer.allowFallbackToSimpleAuth) { > this.rpcServer.metrics.authenticationFallback(); > authenticatedWithFallback = true; > } else { > AccessDeniedException ae = new > AccessDeniedException("Authentication is required"); > doRespond(getErrorResponse(ae.getMessage(), ae)); > return false; > } > } > //from me : don't understand here ? > if (!this.rpcServer.isSecurityEnabled && !isSimpleAuthentication()) { > doRawSaslReply(SaslStatus.SUCCESS, new > IntWritable(SaslUtil.SWITCH_TO_SIMPLE_AUTH), null, > null); > provider = saslProviders.getSimpleProvider(); > // client has already sent the initial Sasl message and we > // should ignore it. Both client and server should fall back > // to simple auth from now on. > skipInitialSaslHandshake = true; > } > useSasl = true; > > ``` >
