[
https://issues.apache.org/jira/browse/HBASE-9866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13810808#comment-13810808
]
Dilli Arumugam commented on HBASE-9866:
---------------------------------------
In the context of curl usage
curl -i --negotiate -u <USER>/DOMAIN http://<HOST>:<PORT>/version/cluster
As far as I know and tested, the usage is
curl -i --negotiate -u : http://<HOST>:<PORT>/version/cluster
Value of option -u is ignored.
The identity of the caller is established based on the kerberos ticket in
ticket cache.
Kerberos ticket would have been populated by a call to kinit.
In the context of Knox usage, the caller identity established by kerberos
ticket is that of "knox". Knox has to tell HBase Rest gateway that the call is
made on behalf of specific end user. That end user identity has to go in as
doAs query parameter value. That is how it happens for WebHDFS, Oozie and
WebHCat calls from Knox.
> Support the mode where REST server authorizes proxy users
> ---------------------------------------------------------
>
> Key: HBASE-9866
> URL: https://issues.apache.org/jira/browse/HBASE-9866
> Project: HBase
> Issue Type: Improvement
> Reporter: Devaraj Das
> Assignee: Devaraj Das
> Fix For: 0.96.1
>
> Attachments: 9866-1.txt
>
>
> In one use case, someone was trying to authorize with the REST server as a
> proxy user. That mode is not supported today.
> The curl request would be something like (assuming SPNEGO auth) -
> {noformat}
> curl -i --negotiate -u : http://<HOST>:<PORT>/version/cluster?doas=<USER>
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.1#6144)
