Re: Hbase security tutorial
Check out http://hbase.apache.org/book.html#security Also, we did a presentation at HBaseCon last year. This is a worked example for getting a simple secure cluster up and running with 0.94 at the time: https://github.com/apurtell/ec2-demo The most useful files will be https://github.com/apurtell/ec2-demo/blob/master/bin/image/tarball/create-image-remote, which lays down a base configuration, and https://github.com/apurtell/ec2-demo/blob/master/bin/image/tarball/setup-remote, which configures site files. On Wed, Feb 13, 2013 at 4:22 PM, Serge Blazhievsky wrote: > Hi all, > > I am looking for a good Hbase security tutorial. > > Could you please suggestion something? > > > Thanks > Serge > -- Best regards, - Andy Problems worthy of attack prove their worth by hitting back. - Piet Hein (via Tom White)
Re: Hbase security tutorial
Thanks On Feb 13, 2013, at 4:32 PM, Ted Yu wrote: > http://hbase.apache.org/book.html#security contains detailed information > about configuration. > > FYI > > On Wed, Feb 13, 2013 at 4:27 PM, Ted Yu wrote: > >> Gary has some slides: >> >> http://www.slideshare.net/ghelmling/new-hbase-features-coprocessors-and-security >> >> Here are blog posts from the old HBase >> blog (hbaseblog.com). The site is gone but you can still see them on the >> Internet Archive: >> >> >> http://web.archive.org/web/20101031022526/http://hbaseblog.com/2010/10/11/secure-hbase-access-controls/ >> >> >> http://web.archive.org/web/20100817034022/http://hbaseblog.com/2010/07/21/up-and-running-with-secure-hadoop/ >> >> Cheers >> >> >> On Wed, Feb 13, 2013 at 4:22 PM, Serge Blazhievsky >> wrote: >> >>> Hi all, >>> >>> I am looking for a good Hbase security tutorial. >>> >>> Could you please suggestion something? >>> >>> >>> Thanks >>> Serge >>> >> >>
Re: Hbase security tutorial
http://hbase.apache.org/book.html#security contains detailed information about configuration. FYI On Wed, Feb 13, 2013 at 4:27 PM, Ted Yu wrote: > Gary has some slides: > > http://www.slideshare.net/ghelmling/new-hbase-features-coprocessors-and-security > > Here are blog posts from the old HBase > blog (hbaseblog.com). The site is gone but you can still see them on the > Internet Archive: > > > http://web.archive.org/web/20101031022526/http://hbaseblog.com/2010/10/11/secure-hbase-access-controls/ > > > http://web.archive.org/web/20100817034022/http://hbaseblog.com/2010/07/21/up-and-running-with-secure-hadoop/ > > Cheers > > > On Wed, Feb 13, 2013 at 4:22 PM, Serge Blazhievsky > wrote: > >> Hi all, >> >> I am looking for a good Hbase security tutorial. >> >> Could you please suggestion something? >> >> >> Thanks >> Serge >> > >
Re: Hbase security tutorial
Gary has some slides: http://www.slideshare.net/ghelmling/new-hbase-features-coprocessors-and-security Here are blog posts from the old HBase blog (hbaseblog.com). The site is gone but you can still see them on the Internet Archive: http://web.archive.org/web/20101031022526/http://hbaseblog.com/2010/10/11/secure-hbase-access-controls/ http://web.archive.org/web/20100817034022/http://hbaseblog.com/2010/07/21/up-and-running-with-secure-hadoop/ Cheers On Wed, Feb 13, 2013 at 4:22 PM, Serge Blazhievsky wrote: > Hi all, > > I am looking for a good Hbase security tutorial. > > Could you please suggestion something? > > > Thanks > Serge >
Re: HBase Security API
IMO, the application that you are referring should be set up to impersonate other users (called proxy-user authentication). Have a look at http://hadoop.apache.org/common/docs/r1.0.3/Secure_Impersonation.html. This can be mapped to the HBase land.. I think the class org.apache.hadoop.hbase.security.User should provide an API to create proxy users. On Jul 1, 2012, at 5:29 PM, Tony Dean wrote: > Posting this again in plaintext to see if it registers successfully. > > Hi, > > It appears that the Kerberos authentication integration into HBase is via > JAAS Krb5LoginModule. That is, > I can setup up the "Client" application context and configure where/how the > client Kerberos principle is > authenticated (TGT). Correct? If I have a multi-tenant application that > performs scans/gets/puts based > on different users, what is the appropriate way to specify the Kerberos > principle to use on each thread? > I was thinking that I could use a JAAS callbackHandler to specify the > principle to use and then configure > the login module to query a keytab for the principal's password key. Or do I > have to create a Subject and > configure the login module to use the shared state? > > What's an application's integration point into specifying what client > Kerberos principal to authenticate and use. > > > Thank you! > > > Tony Dean > SAS Institute Inc. > Senior Software Developer > 919-531-6704 > > > >
Re: HBase Security API
On Sun, Jul 1, 2012 at 5:29 PM, Tony Dean wrote: > It appears that the Kerberos authentication integration into HBase is via > JAAS Krb5LoginModule. That is, This is a question for gene...@hadoop.apache.org I think. HBase piggybacks on Hadoop's Kerberos integration. Hadoop uses its own custom LoginModule, see org.apache.hadoop.security.UserGroupInformation. Best regards, - Andy Problems worthy of attack prove their worth by hitting back. - Piet Hein (via Tom White)
Re: hbase security
On 5/17/12 1:22 PM, Stack wrote: > On Thu, May 17, 2012 at 7:19 AM, Eugene Koontz wrote: >> http://web.archive.org/web/20101031022526/http://hbaseblog.com/2010/10/11/secure-hbase-access-controls/ >> >> http://web.archive.org/web/20100817034022/http://hbaseblog.com/2010/07/21/up-and-running-with-secure-hadoop/ >> > > Anyone interested in porting these over to > http://blogs.apache.org/hbase/? They have great stuff in them. > St.Ack Hi St. Ack, Thanks for saying so! I'm planning to port mine (the access controls post) as soon as my Apache Roller account is granted by the Infra folks. -Eugene
Re: hbase security
I could repost the "up and running with secure hadoop" one. But it's kind of out of date at this point. I remember, back when the site was still up, getting some comments on it about things that had already changed in the 0.20.20X releases. I can take a look and see how bad it is. On Thu, May 17, 2012 at 1:22 PM, Stack wrote: > On Thu, May 17, 2012 at 7:19 AM, Eugene Koontz wrote: >> http://web.archive.org/web/20101031022526/http://hbaseblog.com/2010/10/11/secure-hbase-access-controls/ >> >> http://web.archive.org/web/20100817034022/http://hbaseblog.com/2010/07/21/up-and-running-with-secure-hadoop/ >> > > Anyone interested in porting these over to > http://blogs.apache.org/hbase/? They have great stuff in them. > St.Ack
Re: hbase security
On Thu, May 17, 2012 at 7:19 AM, Eugene Koontz wrote: > http://web.archive.org/web/20101031022526/http://hbaseblog.com/2010/10/11/secure-hbase-access-controls/ > > http://web.archive.org/web/20100817034022/http://hbaseblog.com/2010/07/21/up-and-running-with-secure-hadoop/ > Anyone interested in porting these over to http://blogs.apache.org/hbase/? They have great stuff in them. St.Ack
Re: hbase security
> On 5/15/12 2:24 AM, Harsh J wrote: > P.s. If you're making it to HBaseCon, you may not wanna miss > http://www.hbasecon.com/sessions/hbase-security-for-the-enterprise/ > which also includes a tutorial (from Andrew). Given the time constraints on the material I have to present and Q&A, what I'm doing is bringing a ~5 minute (accelerated) video instead, which I may or may not have time to show., and posted the scripts and configuration used to set up the security enabled demo cluster in EC2 in a public GitHub repo: https://github.com/apurtell/tm-ec2-demo It's possible to use those GitHub scripts right away. Best regards, - Andy Problems worthy of attack prove their worth by hitting back. - Piet Hein (via Tom White)
Re: hbase security
On 5/15/12 2:24 AM, Harsh J wrote: > HBase 0.92 has table-level security (among other goodies). Check out > this slide on what all it includes: > http://www.slideshare.net/ghelmling/new-hbase-features-coprocessors-and-security > > There was also a good blog post earlier on how to set it up, but am > currently unable to locate it. I'll post back in case I find an > archive (or someone else may). > > P.s. If you're making it to HBaseCon, you may not wanna miss > http://www.hbasecon.com/sessions/hbase-security-for-the-enterprise/ > which also includes a tutorial (from Andrew). > Hi Harsh J and Rita, You might be interested in a couple of blog posts from the old HBase blog (hbaseblog.com). The site is gone but you can still see them on the Internet Archive: http://web.archive.org/web/20101031022526/http://hbaseblog.com/2010/10/11/secure-hbase-access-controls/ http://web.archive.org/web/20100817034022/http://hbaseblog.com/2010/07/21/up-and-running-with-secure-hadoop/ -Eugene
Re: hbase security
Thanks! Can't wait until CHD4 :p On Tue, May 15, 2012 at 6:37 PM, Kevin O'dell wrote: > CDH4 is based off of 92 and will have HBase security. > > On Tue, May 15, 2012 at 6:35 PM, Rita wrote: > > > Do any of the CDH have this feature? > > > > > > On Tue, May 15, 2012 at 7:21 AM, Michel Segel > >wrote: > > > > > Coprocessors are inside the engine... So they should be in place if you > > > use the shell, or some other access method. > > > > > > Sent from a remote device. Please excuse any typos... > > > > > > Mike Segel > > > > > > On May 15, 2012, at 6:11 AM, Rita wrote: > > > > > > > I am guessing I can´t use these features using shell, right? > > > > > > > > > > > > > > > > On Tue, May 15, 2012 at 5:24 AM, Harsh J wrote: > > > > > > > >> HBase 0.92 has table-level security (among other goodies). Check out > > > >> this slide on what all it includes: > > > >> > > > >> > > > > > > http://www.slideshare.net/ghelmling/new-hbase-features-coprocessors-and-security > > > >> > > > >> There was also a good blog post earlier on how to set it up, but am > > > >> currently unable to locate it. I'll post back in case I find an > > > >> archive (or someone else may). > > > >> > > > >> P.s. If you're making it to HBaseCon, you may not wanna miss > > > >> http://www.hbasecon.com/sessions/hbase-security-for-the-enterprise/ > > > >> which also includes a tutorial (from Andrew). > > > >> > > > >> On Tue, May 15, 2012 at 8:11 AM, Rita wrote: > > > >>> Hello, > > > >>> > > > >>> It seems for my hbase installation anyone can delete my tables. Is > > > there > > > >> a > > > >>> way to prevent this? I would like to have only owner of Hmaster > with > > > >> super > > > >>> authority. > > > >>> > > > >>> tia > > > >>> > > > >>> -- > > > >>> --- Get your facts first, then you can distort them as you > please.-- > > > >> > > > >> > > > >> > > > >> -- > > > >> Harsh J > > > >> > > > > > > > > > > > > > > > > -- > > > > --- Get your facts first, then you can distort them as you please.-- > > > > > > > > > > > -- > > --- Get your facts first, then you can distort them as you please.-- > > > > > > -- > Kevin O'Dell > Customer Operations Engineer, Cloudera > -- --- Get your facts first, then you can distort them as you please.--
Re: hbase security
CDH4 is based off of 92 and will have HBase security. On Tue, May 15, 2012 at 6:35 PM, Rita wrote: > Do any of the CDH have this feature? > > > On Tue, May 15, 2012 at 7:21 AM, Michel Segel >wrote: > > > Coprocessors are inside the engine... So they should be in place if you > > use the shell, or some other access method. > > > > Sent from a remote device. Please excuse any typos... > > > > Mike Segel > > > > On May 15, 2012, at 6:11 AM, Rita wrote: > > > > > I am guessing I can´t use these features using shell, right? > > > > > > > > > > > > On Tue, May 15, 2012 at 5:24 AM, Harsh J wrote: > > > > > >> HBase 0.92 has table-level security (among other goodies). Check out > > >> this slide on what all it includes: > > >> > > >> > > > http://www.slideshare.net/ghelmling/new-hbase-features-coprocessors-and-security > > >> > > >> There was also a good blog post earlier on how to set it up, but am > > >> currently unable to locate it. I'll post back in case I find an > > >> archive (or someone else may). > > >> > > >> P.s. If you're making it to HBaseCon, you may not wanna miss > > >> http://www.hbasecon.com/sessions/hbase-security-for-the-enterprise/ > > >> which also includes a tutorial (from Andrew). > > >> > > >> On Tue, May 15, 2012 at 8:11 AM, Rita wrote: > > >>> Hello, > > >>> > > >>> It seems for my hbase installation anyone can delete my tables. Is > > there > > >> a > > >>> way to prevent this? I would like to have only owner of Hmaster with > > >> super > > >>> authority. > > >>> > > >>> tia > > >>> > > >>> -- > > >>> --- Get your facts first, then you can distort them as you please.-- > > >> > > >> > > >> > > >> -- > > >> Harsh J > > >> > > > > > > > > > > > > -- > > > --- Get your facts first, then you can distort them as you please.-- > > > > > > -- > --- Get your facts first, then you can distort them as you please.-- > -- Kevin O'Dell Customer Operations Engineer, Cloudera
Re: hbase security
Do any of the CDH have this feature? On Tue, May 15, 2012 at 7:21 AM, Michel Segel wrote: > Coprocessors are inside the engine... So they should be in place if you > use the shell, or some other access method. > > Sent from a remote device. Please excuse any typos... > > Mike Segel > > On May 15, 2012, at 6:11 AM, Rita wrote: > > > I am guessing I can´t use these features using shell, right? > > > > > > > > On Tue, May 15, 2012 at 5:24 AM, Harsh J wrote: > > > >> HBase 0.92 has table-level security (among other goodies). Check out > >> this slide on what all it includes: > >> > >> > http://www.slideshare.net/ghelmling/new-hbase-features-coprocessors-and-security > >> > >> There was also a good blog post earlier on how to set it up, but am > >> currently unable to locate it. I'll post back in case I find an > >> archive (or someone else may). > >> > >> P.s. If you're making it to HBaseCon, you may not wanna miss > >> http://www.hbasecon.com/sessions/hbase-security-for-the-enterprise/ > >> which also includes a tutorial (from Andrew). > >> > >> On Tue, May 15, 2012 at 8:11 AM, Rita wrote: > >>> Hello, > >>> > >>> It seems for my hbase installation anyone can delete my tables. Is > there > >> a > >>> way to prevent this? I would like to have only owner of Hmaster with > >> super > >>> authority. > >>> > >>> tia > >>> > >>> -- > >>> --- Get your facts first, then you can distort them as you please.-- > >> > >> > >> > >> -- > >> Harsh J > >> > > > > > > > > -- > > --- Get your facts first, then you can distort them as you please.-- > -- --- Get your facts first, then you can distort them as you please.--
Re: hbase security
Coprocessors are inside the engine... So they should be in place if you use the shell, or some other access method. Sent from a remote device. Please excuse any typos... Mike Segel On May 15, 2012, at 6:11 AM, Rita wrote: > I am guessing I can´t use these features using shell, right? > > > > On Tue, May 15, 2012 at 5:24 AM, Harsh J wrote: > >> HBase 0.92 has table-level security (among other goodies). Check out >> this slide on what all it includes: >> >> http://www.slideshare.net/ghelmling/new-hbase-features-coprocessors-and-security >> >> There was also a good blog post earlier on how to set it up, but am >> currently unable to locate it. I'll post back in case I find an >> archive (or someone else may). >> >> P.s. If you're making it to HBaseCon, you may not wanna miss >> http://www.hbasecon.com/sessions/hbase-security-for-the-enterprise/ >> which also includes a tutorial (from Andrew). >> >> On Tue, May 15, 2012 at 8:11 AM, Rita wrote: >>> Hello, >>> >>> It seems for my hbase installation anyone can delete my tables. Is there >> a >>> way to prevent this? I would like to have only owner of Hmaster with >> super >>> authority. >>> >>> tia >>> >>> -- >>> --- Get your facts first, then you can distort them as you please.-- >> >> >> >> -- >> Harsh J >> > > > > -- > --- Get your facts first, then you can distort them as you please.--
Re: hbase security
I am guessing I can´t use these features using shell, right? On Tue, May 15, 2012 at 5:24 AM, Harsh J wrote: > HBase 0.92 has table-level security (among other goodies). Check out > this slide on what all it includes: > > http://www.slideshare.net/ghelmling/new-hbase-features-coprocessors-and-security > > There was also a good blog post earlier on how to set it up, but am > currently unable to locate it. I'll post back in case I find an > archive (or someone else may). > > P.s. If you're making it to HBaseCon, you may not wanna miss > http://www.hbasecon.com/sessions/hbase-security-for-the-enterprise/ > which also includes a tutorial (from Andrew). > > On Tue, May 15, 2012 at 8:11 AM, Rita wrote: > > Hello, > > > > It seems for my hbase installation anyone can delete my tables. Is there > a > > way to prevent this? I would like to have only owner of Hmaster with > super > > authority. > > > > tia > > > > -- > > --- Get your facts first, then you can distort them as you please.-- > > > > -- > Harsh J > -- --- Get your facts first, then you can distort them as you please.--
Re: hbase security
HBase 0.92 has table-level security (among other goodies). Check out this slide on what all it includes: http://www.slideshare.net/ghelmling/new-hbase-features-coprocessors-and-security There was also a good blog post earlier on how to set it up, but am currently unable to locate it. I'll post back in case I find an archive (or someone else may). P.s. If you're making it to HBaseCon, you may not wanna miss http://www.hbasecon.com/sessions/hbase-security-for-the-enterprise/ which also includes a tutorial (from Andrew). On Tue, May 15, 2012 at 8:11 AM, Rita wrote: > Hello, > > It seems for my hbase installation anyone can delete my tables. Is there a > way to prevent this? I would like to have only owner of Hmaster with super > authority. > > tia > > -- > --- Get your facts first, then you can distort them as you please.-- -- Harsh J
Re: hbase security
you can use the hadoop + kerberos security feature to have security at hadoop level similarly, you can edit hbase-site.xml to have kerberos authentications. for more you can refer: https://ccp.cloudera.com/display/CDHDOC/HBase+Security+Configuration On Tue, May 15, 2012 at 8:11 AM, Rita wrote: > Hello, > > It seems for my hbase installation anyone can delete my tables. Is there a > way to prevent this? I would like to have only owner of Hmaster with super > authority. > > tia > > -- > --- Get your facts first, then you can distort them as you please.-- > -- Nitin Pawar
Re: HBase Security Configuration
Hey Konrad, Make sure your HBase's classpath also has the Hadoop conf dir on it (specifically hdfs-site.xml and core-site.xml). It it already does have that, make sure they are populated with the right HDFS cluster values (core-site needs two properties that toggle security ON, and hdfs-site needs the HDFS server principals configured inside it - basically just copy these core-site and hdfs-site files from your secured HDFS cluster config over to the HBase machines/classpath). On Tue, Apr 17, 2012 at 5:38 PM, Konrad Tendera wrote: > Hello, > I'm trying to configure secure HBase using following instruction: > https://ccp.cloudera.com/display/CDHDOC/HBase+Security+Configuration. Our > cluster uses Kerberos and everything in Hadoop work fine. But when I start > HBase following exception is thrown > > FATAL org.apache.hadoop.hbase.master.HMaster: Unhandled exception. Starting > shutdown. > org.apache.hadoop.security.AccessControlException: Authentication is required > at org.apache.hadoop.ipc.Client.call(Client.java:1028) > at > org.apache.hadoop.ipc.WritableRpcEngine$Invoker.invoke(WritableRpcEngine.java:198) > at $Proxy9.getProtocolVersion(Unknown Source) > at > org.apache.hadoop.ipc.WritableRpcEngine.getProxy(WritableRpcEngine.java:235) > at org.apache.hadoop.ipc.RPC.getProxy(RPC.java:275) > at org.apache.hadoop.ipc.RPC.getProxy(RPC.java:249) > at > org.apache.hadoop.hdfs.DFSClient.createRPCNamenode(DFSClient.java:161) > at org.apache.hadoop.hdfs.DFSClient.(DFSClient.java:278) > at org.apache.hadoop.hdfs.DFSClient.(DFSClient.java:245) > at > org.apache.hadoop.hdfs.DistributedFileSystem.initialize(DistributedFileSystem.java:109) > at > org.apache.hadoop.fs.FileSystem.createFileSystem(FileSystem.java:1792) > at org.apache.hadoop.fs.FileSystem.access$200(FileSystem.java:76) > at > org.apache.hadoop.fs.FileSystem$Cache.getInternal(FileSystem.java:1826) > at org.apache.hadoop.fs.FileSystem$Cache.get(FileSystem.java:1808) > at org.apache.hadoop.fs.FileSystem.get(FileSystem.java:265) > at org.apache.hadoop.fs.Path.getFileSystem(Path.java:189) > at org.apache.hadoop.hbase.util.FSUtils.getRootDir(FSUtils.java:471) > at > org.apache.hadoop.hbase.master.MasterFileSystem.(MasterFileSystem.java:94) > at > org.apache.hadoop.hbase.master.HMaster.finishInitialization(HMaster.java:448) > at org.apache.hadoop.hbase.master.HMaster.run(HMaster.java:326) > at java.lang.Thread.run(Thread.java:662) > > I can't find any info about it. I'm using Hbase 0.92 with Hadoop 0.22 > > -- > Konrad Tendera -- Harsh J