[
https://issues.apache.org/jira/browse/HBASE-2016?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13817703#comment-13817703
]
Mikhail Antonov commented on HBASE-2016:
----------------------------------------
I see, thanks for the comment Andrew.
I'm actually looking for the deployment picture, when I can avoid having
kerberos principals for end customer of HBase Shell, but it looks like it's not
supported now?
What I'm trying to do is following:
- Namenode/JT are secured already and have kerberos principals
- HiveServer2 is already secured in our installation, and configured in such a
way that HS itself has kerberos principals, but end users log in via LDAP and
their credentials are passed to NN/JT as proxied kerberos tickets. So
impersonation works just fine, like in Oozie and other "service-style" entities
- HBase REST seems to support impersonation
But, I don't see an option to allow end users of HBase Shell (John Smith) to
authenticate via LDAP (without creating trusted bridge between Kerberos and AD,
since it may be arbitrary LDAP server), and then get his credentials to be
proxied via some service Kerberos principal and to be passed to HBase
(something like "jsmith via hbase-shell-user/domain@REALM").
Is there any support for that, or am I missing something?
> [DAC] Authentication
> --------------------
>
> Key: HBASE-2016
> URL: https://issues.apache.org/jira/browse/HBASE-2016
> Project: HBase
> Issue Type: Sub-task
> Components: security
> Reporter: Andrew Purtell
> Assignee: Gary Helmling
>
> Follow what Hadoop is doing. Authentication via JAAS:
> http://issues.apache.org/jira/browse/HADOOP-6299
>
> http://java.sun.com/javase/6/docs/technotes/guides/security/jaas/JAASRefGuide.html
> Should support Kerberos, Unix, and LDAP authentication options.
> Integrate with authentication mechanisms for IPC and HDFS.
--
This message was sent by Atlassian JIRA
(v6.1#6144)
