[jira] [Resolved] (HBASE-23347) Pluggable RPC authentication

Thu, 16 Jan 2020 08:25:49 -0800 


     [ 
https://issues.apache.org/jira/browse/HBASE-23347?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Josh Elser resolved HBASE-23347.
--------------------------------
    Fix Version/s: 2.3.0
     Hadoop Flags: Reviewed
     Release Note: 
This change introduces an internal abstraction layer which allows for new 
SASL-based authentication mechanisms to be used inside HBase services. All 
existing SASL-based authentication mechanism were ported to the new 
abstraction, making no external change in runtime semantics, client API, or RPC 
serialization format.

Developers familiar with extending HBase can implement authentication mechanism 
beyond simple Kerberos and DelegationTokens which authenticate HBase users 
against some other user database. HBase service authentication (Master to/from 
RegionServer) continue to operate solely over Kerberos.
       Resolution: Fixed

Pushed to branch-2 and master. Thanks to everyone who played a part in 
reviewing this.

> Pluggable RPC authentication
> ----------------------------
>
>                 Key: HBASE-23347
>                 URL: https://issues.apache.org/jira/browse/HBASE-23347
>             Project: HBase
>          Issue Type: Improvement
>          Components: rpc, security
>            Reporter: Josh Elser
>            Assignee: Josh Elser
>            Priority: Major
>             Fix For: 3.0.0, 2.3.0
>
>
> Today in HBase, we rely on SASL to implement Kerberos and delegation token 
> authentication. The RPC client and server logic is very tightly coupled to 
> our three authentication mechanism (the previously two mentioned plus simple 
> auth'n) for no good reason (other than "that's how it was built", best as I 
> can tell).
> SASL's function is to decouple the "application" from how a request is being 
> authenticated, which means that, to support a variety of other authentication 
> approaches, we just need to be a little more flexible in letting developers 
> create their own authentication mechanism for HBase.
> This is less for the "average joe" user to write their own authentication 
> plugin (eek), but more to allow us HBase developers to start iterating, see 
> what is possible.
> I'll attach a full write-up on what I have today as to how I think we can add 
> these abstractions, as well as an initial implementation of this idea, with a 
> unit test that shows an end-to-end authentication solution against HBase.
> cc/ [~wchevreuil] as he's been working with me behind the scenes, giving lots 
> of great feedback and support.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to