thanks for reply seems we can't custom a authentication plugin with code compatibility
Wellington Chevreuil <[email protected]> 于2020年4月27日周一 下午5:10写道: > > > > how to use or config the custom authentication ? > > > Assuming your authentication solution implements properly the key > interfaces *SaslServerAuthenticationProvider*, > *SaslClientAuthenticationProvider* and *BuiltInProviderSelector*, you need > to specify each of these implementations on the > *hbase.client.sasl.provider.class*, *hbase.client.sasl.provider.extras* and > *hbase.server.sasl.provider.extras* you had mentioned. These must be set on > both client and server side, so your custom classes must be present on both > client and server classpaths. > > I check the test code ,why we need setUp kerberos first? > > > Hbase security here means an authentication system is set. Right now, hbase > only supports kerberos as an authentication mechanism. So the RPC > sub-system would only apply any of its authentication checks if security is > enabled, and by that we mean *hbase.security.authentication *is set to > *kerberos.* > > > > if i add a extras but the client use simple > > > > the auth can be by pass > > > This would only happen if you had explicitly set > *hbase.ipc.server.fallback-to-simple-auth-allowed* property to *true* on > the server configuration. > > what i missed? > > > Can you share both your client and server configs? Do you see any > suggestive messages on client/server logs (TRACE level might be helpful > here)? Would it be feasible for you to share your implementations of > *SaslServerAuthenticationProvider*, *SaslClientAuthenticationProvider* > and *BuiltInProviderSelector > *(I understand this might not be desirable, maybe just some snippets of > specific method implementation here)? For instance, both Server and Client > provider implementations should return the very same type in getTokenKind() > method implementation. > > Em seg., 27 de abr. de 2020 às 05:59, 陈叶超 <[email protected]> escreveu: > > > Hi all: > > > > in https://issues.apache.org/jira/browse/HBASE-23347 introduce a > puuggable > > rpc authentication > > > > https://github.com/apache/hbase/pull/884 > > > > I want to use this pr to create a custom auth > > > > how to use or config the custom authentication ? > > > > I check the test code ,why we need setUp kerberos first? > > > > and seems server offer three simple/gss/ Digest and extras auth* > > > > if i add a extras but the client use simple > > > > the auth can be by pass > > > > now i just set three properties : > > > > hbase.client.sasl.provider.class > > > > hbase.client.sasl.provider.extras > > > > hbase.server.sasl.provider.extras > > > > what i missed? > > > > I check the code > > > > in ServerRpcConnection.java > > > > > > ```java > > //from me: if client pass the simple authbyte? we just use simple??? > > this.provider = this.saslProviders.selectProvider(authbyte); > > if (this.provider == null) { > > String msg = getFatalConnectionString(version, authbyte); > > doBadPreambleHandling(msg, new BadAuthException(msg)); > > return false; > > } > > //from me : don't understand here > > // TODO this is a wart while simple auth'n doesn't go through sasl. > > if (this.rpcServer.isSecurityEnabled && isSimpleAuthentication()) { > > if (this.rpcServer.allowFallbackToSimpleAuth) { > > this.rpcServer.metrics.authenticationFallback(); > > authenticatedWithFallback = true; > > } else { > > AccessDeniedException ae = new > > AccessDeniedException("Authentication is required"); > > doRespond(getErrorResponse(ae.getMessage(), ae)); > > return false; > > } > > } > > //from me : don't understand here ? > > if (!this.rpcServer.isSecurityEnabled && !isSimpleAuthentication()) > { > > doRawSaslReply(SaslStatus.SUCCESS, new > > IntWritable(SaslUtil.SWITCH_TO_SIMPLE_AUTH), null, > > null); > > provider = saslProviders.getSimpleProvider(); > > // client has already sent the initial Sasl message and we > > // should ignore it. Both client and server should fall back > > // to simple auth from now on. > > skipInitialSaslHandshake = true; > > } > > useSasl = true; > > > > ``` > > >
