wchevreuil commented on a change in pull request #884: HBASE-23347 Allowable custom authentication methods for RPCs URL: https://github.com/apache/hbase/pull/884#discussion_r351731845
########## File path: PluggableRpcAuthentication.md ########## @@ -0,0 +1,140 @@ +# Pluggable Authentication for HBase RPCs + +## Background + +As a distributed database, HBase must be able to authenticate users and HBase +services across an untrusted network. Clients and HBase services are treated +equivalently in terms of authentication (and this is the only time we will +draw such a distinction). + +There are currently three modes of authentication which are supported by HBase +today via the configuration property `hbase.security.authentication` + +1. `SIMPLE` +2. `KERBEROS` +3. `TOKEN` + +`SIMPLE` authentication is effectively no authentication; HBase assumes the user +is who they claim to be. `KERBEROS` uses authenticates clients via the KerberosV5 +protocol using the GSSAPI mechanism of the Java Simple Authentication and Security +Layer (SASL) protocol. `TOKEN` is a username-password based authentication protocol +which uses short-lived passwords that can only be obtained via a `KERBEROS` authenticated +request. `TOKEN` authentication is synonymous with Hadoop-style [Delegation Tokens](https://steveloughran.gitbooks.io/kerberos_and_hadoop/content/sections/hadoop_tokens.html#delegation-tokens). `TOKEN` authentication uses the `DIGEST-MD5` +SASL mechanism. + +[SASL](https://docs.oracle.com/javase/8/docs/technotes/guides/security/sasl/sasl-refguide.html) +is a library which specifies a network protocol that can authenticate a client +and a server using an arbitrary mechanism. SASL ships with a [number of mechanisms](https://www.iana.org/assignments/sasl-mechanisms/sasl-mechanisms.xhtml) +out of the box and it is possible to implement custom mechanisms. SASL is effectively +decoupling an RPC client-server model from the mechanism used to authenticate those +requests (e.g. the RPC code is identical whether username-password, Kerberos, or any +other method is used to authenticate the request). + +The `SIMPLE` implementation does not use SASL, but instead has its own RPC logic +built into the HBase RPC protocol. `KERBEROS` and `TOKEN` both use SASL to authenticate, +relying on the `Token` interface that is intertwined with the Hadoop `UserGroupInformation` +class. SASL decouples an RPC from the mechanism used to authenticate that request. + +## Problem statement + +Despite HBase already shipping authentication implementations which leverage SASL, +it is (effectively) impossible to add a new authentication implementation to HBase. The +use of the `org.apache.hadoop.hbase.security.AuthMethod` enum makes it impossible +to define a new method of authentication. Also, the RPC implementation is written +to only use the methods that are expressly shipped in HBase. Adding a new authentication +method would require copying and modifying the RpcClient implementation. Review comment: Not only that, but also server side handler authentication logic as well. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services