[ https://issues.apache.org/jira/browse/HBASE-23347?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16994875#comment-16994875 ]
Josh Elser commented on HBASE-23347: ------------------------------------ Thanks Reid! Will wait for ya. > Pluggable RPC authentication > ---------------------------- > > Key: HBASE-23347 > URL: https://issues.apache.org/jira/browse/HBASE-23347 > Project: HBase > Issue Type: Improvement > Components: rpc, security > Reporter: Josh Elser > Assignee: Josh Elser > Priority: Major > Fix For: 3.0.0 > > > Today in HBase, we rely on SASL to implement Kerberos and delegation token > authentication. The RPC client and server logic is very tightly coupled to > our three authentication mechanism (the previously two mentioned plus simple > auth'n) for no good reason (other than "that's how it was built", best as I > can tell). > SASL's function is to decouple the "application" from how a request is being > authenticated, which means that, to support a variety of other authentication > approaches, we just need to be a little more flexible in letting developers > create their own authentication mechanism for HBase. > This is less for the "average joe" user to write their own authentication > plugin (eek), but more to allow us HBase developers to start iterating, see > what is possible. > I'll attach a full write-up on what I have today as to how I think we can add > these abstractions, as well as an initial implementation of this idea, with a > unit test that shows an end-to-end authentication solution against HBase. > cc/ [~wchevreuil] as he's been working with me behind the scenes, giving lots > of great feedback and support. -- This message was sent by Atlassian Jira (v8.3.4#803005)