[ https://issues.apache.org/jira/browse/HBASE-9482?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13763017#comment-13763017 ]
Nicolas Liochon commented on HBASE-9482: ---------------------------------------- Ok, I read the code again & I agree. Still +1. > Do not enforce secure Hadoop for secure HBase > --------------------------------------------- > > Key: HBASE-9482 > URL: https://issues.apache.org/jira/browse/HBASE-9482 > Project: HBase > Issue Type: Bug > Components: security > Affects Versions: 0.95.2, 0.94.11 > Reporter: Aditya Kishore > Assignee: Aditya Kishore > Labels: security > Fix For: 0.96.0 > > Attachments: HBASE-9482-0.94.patch, HBASE-9482.patch, > HBASE-9482.patch, HBASE-9482.patch > > > We should recommend and not enforce secure Hadoop underneath as a requirement > to run secure HBase. > Few of our customers have HBase clusters which expose only HBase services to > outside the physical network and no other services (including ssh) are > accessible from outside of such cluster. > However they are forced to setup secure Hadoop and incur the penalty of > security overhead at filesystem layer even if they do not need to. > The following code tests for both secure HBase and secure Hadoop. > {code:title=org.apache.hadoop.hbase.security.User|borderStyle=solid} > /** > * Returns whether or not secure authentication is enabled for HBase. Note > that > * HBase security requires HDFS security to provide any guarantees, so this > requires that > * both <code>hbase.security.authentication</code> and > <code>hadoop.security.authentication</code> > * are set to <code>kerberos</code>. > */ > public static boolean isHBaseSecurityEnabled(Configuration conf) { > return "kerberos".equalsIgnoreCase(conf.get(HBASE_SECURITY_CONF_KEY)) && > "kerberos".equalsIgnoreCase( > conf.get(CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION)); > } > {code} > What is worse that if {{"hadoop.security.authentication"}} is not set to > {{"kerberos"}} (undocumented at http://hbase.apache.org/book/security.html), > all other configuration have no impact and HBase RPCs silently switch back to > unsecured mode. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira