[
https://issues.apache.org/jira/browse/HBASE-14700?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14979268#comment-14979268
]
Gary Helmling commented on HBASE-14700:
---------------------------------------
bq. I can see why you might want this at TRACE level but I'd actually suggest
WARN. Suggest also recording the user in this log line.
Hmm, I originally thought that we could get this same info from the audit log,
but, looking now, the audit log entry is written in {{saslReadAndProcess()}},
so it would never be called for these fallback authentications. I can defer
the logging until after the connection header is read so that we can log the
username as well. Agree that that is critical information. Seems like we
would want these present in the audit log as well, with SIMPLE for the auth
method?
If both the server and client are configured with the fallback settings,
assuming the server is also configured with security, as things stand now, the
fallback to simple auth would never be sent back to the client, since it's
gated on this:
{code}
if (!isSecurityEnabled && authMethod != AuthMethod.SIMPLE) {
{code}
This also happens in {{readPreamble()}} so it's before the SASL negotiation is
attempted. I suppose if the negotiation fails, then if the server-side
fallback flag in enabled, we could add a check to send the
SWITCH_TO_SIMPLE_AUTH response. That could allow things to continue working in
an insecure manner, but could also mask client-side misconfigurations. If you
still think it's worthwhile, maybe we should open a separate JIRA to discuss
implications?
> Support a "permissive" mode for secure clusters to allow "simple" auth clients
> ------------------------------------------------------------------------------
>
> Key: HBASE-14700
> URL: https://issues.apache.org/jira/browse/HBASE-14700
> Project: HBase
> Issue Type: Improvement
> Components: security
> Reporter: Gary Helmling
> Assignee: Gary Helmling
> Fix For: 2.0.0
>
> Attachments: HBASE-14700-v2.patch, HBASE-14700.patch
>
>
> When implementing HBase security for an existing cluster, it can be useful to
> support mixed secure and insecure clients while all client configurations are
> migrated over to secure authentication.
> We currently have an option to allow secure clients to fallback to simple
> auth against insecure clusters. By providing an analogous setting for
> servers, we would allow a phased rollout of security:
> # First, security can be enabled on the cluster servers, with the
> "permissive" mode enabled
> # Clients can be converting to using secure authentication incrementally
> # The server audit logs allow identification of clients still using simple
> auth to connect
> # Finally, when sufficient clients have been converted to secure operation,
> the server-side "permissive" mode can be removed, allowing completely secure
> operation.
> Obviously with this enabled, there is no effective access control, but this
> would still be a useful tool to enable a smooth operational rollout of
> security. Permissive mode would of course be disabled by default. Enabling
> it should provide a big scary warning in the logs on startup, and possibly be
> flagged on relevant UIs.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
