Home | About | Sematext search-lucene.com search-hadoop.com
 Search Hadoop and all its subprojects:

Switch to Plain View
HBase >> mail # user >> hbase security API


+
Tony Dean 2012-07-01, 18:32
+
Tony Dean 2012-07-02, 00:29
+
Andrew Purtell 2012-07-02, 00:58
Copy link to this message
-
Re: HBase Security API
IMO, the application that you are referring should be set up to impersonate other users (called proxy-user authentication).

Have a look at http://hadoop.apache.org/common/docs/r1.0.3/Secure_Impersonation.html. This can be mapped to the HBase land..

I think the class org.apache.hadoop.hbase.security.User should provide an API to create proxy users.

On Jul 1, 2012, at 5:29 PM, Tony Dean wrote:

> Posting this again in plaintext to see if it registers successfully.
>
> Hi,
>
> It appears that the Kerberos authentication integration into HBase is via JAAS Krb5LoginModule.  That is,
> I can setup up the "Client" application context and configure where/how the client Kerberos principle is
> authenticated (TGT).  Correct?  If I have a multi-tenant application that performs scans/gets/puts based
> on different users, what is the appropriate way to specify the Kerberos principle to use on each thread?
> I was thinking that I could use a JAAS callbackHandler to specify the principle to use and then configure
> the login module to query a keytab for the principal's password key.  Or do I have to create a Subject and
> configure the login module to use the shared state?
>
> What's an application's integration point into specifying what client Kerberos principal to authenticate and use.
>
>
> Thank you!
>
>
> Tony Dean
> SAS Institute Inc.
> Senior Software Developer
> 919-531-6704
>
>
>
>