Home | About | Sematext search-lucene.com search-hadoop.com
 Search Hadoop and all its subprojects:

Switch to Threaded View
HBase, mail # user - HBase Integration with Active Directory


Copy link to this message
-
Re: HBase Integration with Active Directory
Harsh J 2012-12-09, 20:58
Hi,

Correct me if I'm wrong, but HBase presently has no reliance on the
concept of groups, just users. For authenticating users, it relies on
Hadoop Common's security libraries, which is the same as is used by
HDFS for authentication. The Hadoop Common security libraries provided
auth_to_local form of configs for transforming AD->KDC principal
names, which HBase can leverage as well (via the same configs).

Essentially, if you make HBase see Hadoop's proper security configs
(including any AD-required ones), then that's all there is to it.

Back to the concept of groups, the reason I mentioned it is that for
permissions model the NameNode uses a Groups mapping plugin, to get an
accurate picture of the groups a user may belong to. For this to be
consistent in an AD environment, Hadoop Common provides a LDAP-mapping
feature. This lies outside of authentication layers, and is useful
only in cases of HDFS and MapReduce which have group-wise applications
and configurations.

On Mon, Dec 10, 2012 at 2:20 AM, anil gupta <[EMAIL PROTECTED]> wrote:
> Hi Harsh,
>
> We are in process of installing a HBase cluster with a secure HDFS and
> HBase. We already have a secure HDFS integrated with AD but we are still
> trying to figure out a way to integrate HBase with AD(directly or
> indirectly throgh KDC). I think my colleague has already implemented the
> stuff provided in previous link for securing HDFS. :) However, i will try
> to correlate this article for HBase installation and see if we can make
> HBase work with AD. Thanks a lot for your response and time.
>
> PS: It might be possible to integrate HBase with AD but till now i have
> found no reference or documentation for it.
>
> Thanks,
> Anil Gupta
>
> On Sat, Dec 8, 2012 at 11:17 AM, Harsh J <[EMAIL PROTECTED]> wrote:
>
>> Hi,
>>
>> An KDC can be made to trust an AD, which would solve your need. This
>>
>> https://ccp.cloudera.com/display/CDH4DOC/Integrating+Hadoop+Security+with+Active+Directory
>> is one guide that details on how to set it up.
>>
>> HBase wraps very little logic over Hadoop's security providing
>> classes, so proper Hadoop security configuration (such as
>> auth_to_local rules, etc.) will work for HBase directly and you can
>> have all your AD users onboard for authentication.
>>
>> Does this answer your question?
>>
>> On Sat, Dec 8, 2012 at 11:43 PM, anil gupta <[EMAIL PROTECTED]> wrote:
>> > Hi Harsh,
>> >
>> > Both of the approach you mentioned would be ok for us. We are aware that
>> > Hadoop can be integrated with Active Directory. But, i could not find any
>> > such reference for HBase. Do you have any idea about this? Any link or
>> > documentation on this would be really helpful.
>> >
>> > Thanks,
>> > Anil Gupta
>> >
>> > On Sat, Dec 8, 2012 at 7:54 AM, Harsh J <[EMAIL PROTECTED]> wrote:
>> >
>> >> Do you want to have just AD (via LDAP) based authentication (not sure
>> >> what I'm talking of here, really), or kerberos based authentication
>> >> but with an automatic binding to AD (via LDAP) for all the
>> >> allowed/available users?
>> >>
>> >> On Tue, Dec 4, 2012 at 11:19 AM, anil gupta <[EMAIL PROTECTED]>
>> wrote:
>> >> > Hi All,
>> >> >
>> >> > We would like to integrate HBase with our corporate Active Directory
>> for
>> >> > authentication and authorization of HBase users.  I have gone through
>> the
>> >> > following links in HBase:
>> >> >
>> >>
>> http://blog.cloudera.com/blog/2012/09/understanding-user-authentication-and-authorization-in-apache-hbase/
>> >> > http://hbase.apache.org/book/security.html
>> >> >
>> >> > I am a novice at Kerberos and Active Directory(LDAP). So, I would
>> like to
>> >> > know whether HBase can be integrated with Active Directory(LDAP) or
>> not?
>> >> Is
>> >> > anyone using LDAP for Authentication and Authorization in HBase? If
>> yes,
>> >> it
>> >> > would be great if someone can give me high level steps. Is it
>> something
>> >> > similar Kerberos integration with Active Directory in Hadoop?
>> >> >

Harsh J