[
https://issues.apache.org/jira/browse/HBASE-20886?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16544102#comment-16544102
]
Reid Chan commented on HBASE-20886:
-----------------------------------
bq. I think the login is done by UserGroupInformation?
Yes, the underlying implementation is {{UserGroupInformation}}. Just wrap it
into connection creation and provide renew logic. This will eliminate trouble
of hbase application, they only need to provide client keytab and principal.
BTW, Zookeeper, Kafka, Flink, Spark, etc., open sources do the similar way by
providing JAAS file or configurations, client application takes no care about
how to login and when to renew, but just focus on business.
> [Auth] Support keytab login in hbase client
> -------------------------------------------
>
> Key: HBASE-20886
> URL: https://issues.apache.org/jira/browse/HBASE-20886
> Project: HBase
> Issue Type: Improvement
> Components: asyncclient, Client, security
> Reporter: Reid Chan
> Assignee: Reid Chan
> Priority: Critical
> Attachments: HBASE-20886.master.001.patch
>
>
> There're lots of questions about how to connect to kerberized hbase cluster
> through hbase-client api from user-mail and slack channel.
> {{hbase.client.keytab.file}} and {{hbase.client.keytab.principal}} are
> already existed in code base, but they are only used in {{Canary}}.
> This issue is to make use of two configs to support client-side keytab based
> login, after this issue resolved, hbase-client should directly connect to
> kerberized cluster without changing any code as long as
> {{hbase.client.keytab.file}} and {{hbase.client.keytab.principal}} are
> specified.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
