[
https://issues.apache.org/jira/browse/HBASE-14700?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14978847#comment-14978847
]
Andrew Purtell commented on HBASE-14700:
----------------------------------------
The patch lgtm. I like the new metric.
I can see why you might want this at TRACE level but I'd actually suggest WARN.
Suggest also recording the user in this log line. Will be a PITA when the
envisioned migration begins with most clients only capable of simple auth but
very useful once there are just a handful of stragglers and every instance of
this log line will be actionable.
{code}
1530 if (allowFallbackToSimpleAuth) {
1531 metrics.authenticationFallback();
1532 if (LOG.isTraceEnabled()) {
1533 LOG.trace("Falling back to SIMPLE auth for connection from
" + getHostAddress());
1534 }
1535 } else {
{code}
If we have fallbacks enabled both on client and server, then would it be the
case if Kerberos auth fails we'd get a successful negotiation with SIMPLE auth,
and with an audit record in the log and increment of relevant metric? That
could also be useful in some settings.
> Support a "permissive" mode for secure clusters to allow "simple" auth clients
> ------------------------------------------------------------------------------
>
> Key: HBASE-14700
> URL: https://issues.apache.org/jira/browse/HBASE-14700
> Project: HBase
> Issue Type: Improvement
> Components: security
> Reporter: Gary Helmling
> Assignee: Gary Helmling
> Fix For: 2.0.0
>
> Attachments: HBASE-14700-v2.patch, HBASE-14700.patch
>
>
> When implementing HBase security for an existing cluster, it can be useful to
> support mixed secure and insecure clients while all client configurations are
> migrated over to secure authentication.
> We currently have an option to allow secure clients to fallback to simple
> auth against insecure clusters. By providing an analogous setting for
> servers, we would allow a phased rollout of security:
> # First, security can be enabled on the cluster servers, with the
> "permissive" mode enabled
> # Clients can be converting to using secure authentication incrementally
> # The server audit logs allow identification of clients still using simple
> auth to connect
> # Finally, when sufficient clients have been converted to secure operation,
> the server-side "permissive" mode can be removed, allowing completely secure
> operation.
> Obviously with this enabled, there is no effective access control, but this
> would still be a useful tool to enable a smooth operational rollout of
> security. Permissive mode would of course be disabled by default. Enabling
> it should provide a big scary warning in the logs on startup, and possibly be
> flagged on relevant UIs.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
