Home | About | Sematext search-lucene.com search-hadoop.com
 Search Hadoop and all its subprojects:

Switch to Threaded View
HBase, mail # user - hbase multi-user security


Copy link to this message
-
Re: hbase multi-user security
Devaraj Das 2012-07-12, 18:13

On Jul 11, 2012, at 10:41 AM, Tony Dean wrote:

> Hi,
>
> Looking into hbase security, it appears that when HBaseRPC is creating a proxy (e.g., SecureRpcEngine), it injects the current user:
> User.getCurrent() which by default is the cached Kerberos TGT (kinit'ed user - using the "hadoop-user-kerberos" JAAS context).
>
> Since the server proxy always uses User.getCurrent(), how can an application inject the user it wants to use for authorization checks on the peer (region server)?
>
> And since SecureHadoopUser is a static class, how can you have more than 1 active user in the same application?
>
> What you have works for a single user application like the hbase shell, but what about a multi-user application?
>

Over in Hadoop, in order to support use cases like Oozie where it would need to talk to NameNode and JobTracker on behalf of other users, the concept of secure impersonation was introduced. Have a look at http://hadoop.apache.org/common/docs/r1.0.3/Secure_Impersonation.html. This can be mapped to the HBase land.. Do you think this would address your need, Tony?

> Am I missing something?
>
> Thanks!
> Tony Dean
> SAS Institute Inc.
> Senior Software Developer
> 919-531-6704
>
>
>
>
>