anmolnar opened a new pull request, #4733: URL: https://github.com/apache/hbase/pull/4733
Adds a new SASL mech plugin for OAuthBearer (JWT) authentication. - In order to keep the size of this initial patch manageable, the supported workflow is limited: client reads a single JWT token with expiry information from environment variable and authenticates with the server. - It works similarly to Hadoop delegation tokens, JWT token takes precedence, but if it's missing, the auth provider will fall back to Kerberos. - Kerberos must be enabled on the cluster, otherwise HBase security is not enabled. Minimum configuration to enable JWT auth: ``` <property> <name>hbase.client.sasl.provider.extras</name> <value>org.apache.hadoop.hbase.security.provider.OAuthBearerSaslClientAuthenticationProvider</value> </property> <property> <name>hbase.server.sasl.provider.extras</name> <value>org.apache.hadoop.hbase.security.provider.OAuthBearerSaslServerAuthenticationProvider</value> </property> <property> <name>hbase.client.sasl.provider.class</name> <value>org.apache.hadoop.hbase.security.provider.OAuthBearerSaslProviderSelector</value> </property> <property> <name>hbase.security.oauth.jwt.jwks.url</name> <value>JWKS download url</value> </property> ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@hbase.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org