[ https://issues.apache.org/jira/browse/HBASE-9866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13810808#comment-13810808 ]
Dilli Arumugam commented on HBASE-9866: --------------------------------------- In the context of curl usage curl -i --negotiate -u <USER>/DOMAIN http://<HOST>:<PORT>/version/cluster As far as I know and tested, the usage is curl -i --negotiate -u : http://<HOST>:<PORT>/version/cluster Value of option -u is ignored. The identity of the caller is established based on the kerberos ticket in ticket cache. Kerberos ticket would have been populated by a call to kinit. In the context of Knox usage, the caller identity established by kerberos ticket is that of "knox". Knox has to tell HBase Rest gateway that the call is made on behalf of specific end user. That end user identity has to go in as doAs query parameter value. That is how it happens for WebHDFS, Oozie and WebHCat calls from Knox. > Support the mode where REST server authorizes proxy users > --------------------------------------------------------- > > Key: HBASE-9866 > URL: https://issues.apache.org/jira/browse/HBASE-9866 > Project: HBase > Issue Type: Improvement > Reporter: Devaraj Das > Assignee: Devaraj Das > Fix For: 0.96.1 > > Attachments: 9866-1.txt > > > In one use case, someone was trying to authorize with the REST server as a > proxy user. That mode is not supported today. > The curl request would be something like (assuming SPNEGO auth) - > {noformat} > curl -i --negotiate -u : http://<HOST>:<PORT>/version/cluster?doas=<USER> > {noformat} -- This message was sent by Atlassian JIRA (v6.1#6144)