anmolnar opened a new pull request, #4733:
URL: https://github.com/apache/hbase/pull/4733
Adds a new SASL mech plugin for OAuthBearer (JWT) authentication.
- In order to keep the size of this initial patch manageable, the supported
workflow is limited: client reads a single JWT token with expiry information
from environment variable and authenticates with the server.
- It works similarly to Hadoop delegation tokens, JWT token takes
precedence, but if it's missing, the auth provider will fall back to Kerberos.
- Kerberos must be enabled on the cluster, otherwise HBase security is not
enabled.
Minimum configuration to enable JWT auth:
```
<property>
<name>hbase.client.sasl.provider.extras</name>
<value>org.apache.hadoop.hbase.security.provider.OAuthBearerSaslClientAuthenticationProvider</value>
</property>
<property>
<name>hbase.server.sasl.provider.extras</name>
<value>org.apache.hadoop.hbase.security.provider.OAuthBearerSaslServerAuthenticationProvider</value>
</property>
<property>
<name>hbase.client.sasl.provider.class</name>
<value>org.apache.hadoop.hbase.security.provider.OAuthBearerSaslProviderSelector</value>
</property>
<property>
<name>hbase.security.oauth.jwt.jwks.url</name>
<value>JWKS download url</value>
</property>
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscr...@hbase.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
