Home | About | Sematext search-lucene.com search-hadoop.com
 Search Hadoop and all its subprojects:

Switch to Plain View
HBase, mail # user - HBase Integration with Active Directory


+
anil gupta 2012-12-04, 05:49
+
Harsh J 2012-12-08, 15:54
+
anil gupta 2012-12-08, 18:13
+
Harsh J 2012-12-08, 19:17
+
anil gupta 2012-12-09, 20:50
+
Harsh J 2012-12-09, 20:58
+
anil gupta 2012-12-09, 21:47
+
Harsh J 2012-12-09, 22:33
Copy link to this message
-
Re: HBase Integration with Active Directory
anil gupta 2012-12-11, 07:58
Thanks a lot for the responses, Harsh. Even i thought that if HBase does
not supports Authorization with AD then we might need to write a
coprocessor.

On Sun, Dec 9, 2012 at 2:33 PM, Harsh J <[EMAIL PROTECTED]> wrote:

> Ah alright. To rephrase my answer: Authentication in HBase via AD is
> supported, but direct Authorization of tables via AD is not.
>
> You'd need to either come up with your own co-processors or enhance
> the AccessController to feed its ACL data off of LDAP instead of a
> system table (a pluggable design perhaps, or if going the cheap way, a
> continuous application that syncs the LDAP ACLs state to the HBase
> system table state periodically).
>
> On Mon, Dec 10, 2012 at 3:17 AM, anil gupta <[EMAIL PROTECTED]> wrote:
> > Hi Harsh,
> >
> > HBase has a concept of ACL. But, these ACL's are maintained as another
> > system table "*_acl_*"(similar to Meta and Root) in HBase.  See:
> > hbase.apache.org/book/hbase.accesscontrol.configuration.html.
> > Instead of HBase maintaining these ACL's as a system table we want HBase
> to
> > understand the ACL's of AD(directly or indirectly through Kerberos) so
> that
> > we are not maintaining users at many places.
> > So, for a client to query a HBase table, first the client will need to
> > authenticate through HBase Client API.(For example: client authenticates
> to
> > Oracle through JDBC api before a query is run on the DB and this Oracle
> > instance is integrated to AD). I hope this clarifies my requirement.
> >
> > Thanks,
> > Anil Gupta
> >
> >
> > On Sun, Dec 9, 2012 at 12:58 PM, Harsh J <[EMAIL PROTECTED]> wrote:
> >
> >> Hi,
> >>
> >> Correct me if I'm wrong, but HBase presently has no reliance on the
> >> concept of groups, just users. For authenticating users, it relies on
> >> Hadoop Common's security libraries, which is the same as is used by
> >> HDFS for authentication. The Hadoop Common security libraries provided
> >> auth_to_local form of configs for transforming AD->KDC principal
> >> names, which HBase can leverage as well (via the same configs).
> >>
> >> Essentially, if you make HBase see Hadoop's proper security configs
> >> (including any AD-required ones), then that's all there is to it.
> >>
> >> Back to the concept of groups, the reason I mentioned it is that for
> >> permissions model the NameNode uses a Groups mapping plugin, to get an
> >> accurate picture of the groups a user may belong to. For this to be
> >> consistent in an AD environment, Hadoop Common provides a LDAP-mapping
> >> feature. This lies outside of authentication layers, and is useful
> >> only in cases of HDFS and MapReduce which have group-wise applications
> >> and configurations.
> >>
> >> On Mon, Dec 10, 2012 at 2:20 AM, anil gupta <[EMAIL PROTECTED]>
> wrote:
> >> > Hi Harsh,
> >> >
> >> > We are in process of installing a HBase cluster with a secure HDFS and
> >> > HBase. We already have a secure HDFS integrated with AD but we are
> still
> >> > trying to figure out a way to integrate HBase with AD(directly or
> >> > indirectly throgh KDC). I think my colleague has already implemented
> the
> >> > stuff provided in previous link for securing HDFS. :) However, i will
> try
> >> > to correlate this article for HBase installation and see if we can
> make
> >> > HBase work with AD. Thanks a lot for your response and time.
> >> >
> >> > PS: It might be possible to integrate HBase with AD but till now i
> have
> >> > found no reference or documentation for it.
> >> >
> >> > Thanks,
> >> > Anil Gupta
> >> >
> >> > On Sat, Dec 8, 2012 at 11:17 AM, Harsh J <[EMAIL PROTECTED]> wrote:
> >> >
> >> >> Hi,
> >> >>
> >> >> An KDC can be made to trust an AD, which would solve your need. This
> >> >>
> >> >>
> >>
> https://ccp.cloudera.com/display/CDH4DOC/Integrating+Hadoop+Security+with+Active+Directory
> >> >> is one guide that details on how to set it up.
> >> >>
> >> >> HBase wraps very little logic over Hadoop's security providing
> >> >> classes, so proper Hadoop security configuration (such as

Thanks & Regards,
Anil Gupta