Re: Thrift client authentication skipped for HBase thrift server

[Jimmy Xiang]

Kashif,

HBASE-11349/HBASE-11474 is indeed to authenticate Thrift clients using
Kerberos. Is this what you are looking for?
For Thrift server authentication, it is already there. Please refer to the
hbase book
http://hbase.apache.org/book/security.html#hbase.secure.configuration
Section 8.1.4 for more details.

Thanks,
Jimmy


On Sun, Aug 31, 2014 at 11:28 PM, Kashif Jawed Siddiqui kashi...@huawei.com
 wrote:

 Hi All,

 As per current implementation done for
 https://issues.apache.org/jira/i#browse/HBASE-11349  
 https://issues.apache.org/jira/i#browse/HBASE-11474 ,

 The authentication mechanism using  Kerberos principal for Thrift server
 with HBase is perfectly fine.



 But for clients communicating to HBase via thrift server does not handle
 the security mechanism.

 Any unauthenticated client can access HBase via thrift server. The thrift
 sever can act as a backdoor entry for skipping the security 
 authentication.

 It will be better if thrift clients can also be authenticated through some
 mechanism like Kerberos or IP restriction,etc



 Let us discuss on mechanism for thrift client authentication that can be
 implemented.



 ***
 This e-mail and attachments contain confidential information from HUAWEI,
 which is intended only for the person or entity whose address is listed
 above. Any use of the information contained herein in any way (including,
 but not limited to, total or partial disclosure, reproduction, or
 dissemination) by persons other than the intended recipient's) is
 prohibited. If you receive this e-mail in error, please notify the sender
 by phone or email immediately and delete it!

RE: Thrift client authentication skipped for HBase thrift server

[Kashif Jawed Siddiqui]

Hi Jimmy,

HBASE-11349/HBASE-11474 is to authenticate the connection from thrift 
server to HBase.

Here by the term thrift clients, I mean clients trying to access HBase 
via thrift server.

For example, clients in any unsecure machine will connect to thrift 
server port 9090 , and in turn thrift will connect to HBase.

Client -(unauthenticated connect via port 9090) Thrift - 
(Kerberos authenticated connection) HBase


As portrayed above, the Thrift will authenticate with HBase using 
Kerberos. But clients connecting to thrift server via 9090 do not get 
authentictaed


***
This e-mail and attachments contain confidential information from HUAWEI, which 
is intended only for the person or entity whose address is listed above. Any 
use of the information contained herein in any way (including, but not limited 
to, total or partial disclosure, reproduction, or dissemination) by persons 
other than the intended recipient's) is prohibited. If you receive this e-mail 
in error, please notify the sender by phone or email immediately and delete it!

-Original Message-
From: Jimmy Xiang [mailto:jxi...@cloudera.com]
Sent: 03 September 2014 03:06
To: dev@hbase.apache.org
Subject: Re: Thrift client authentication skipped for HBase thrift server

 Kashif,

 HBASE-11349/HBASE-11474 is indeed to authenticate Thrift clients using 
 Kerberos. Is this what you are looking for?
 For Thrift server authentication, it is already there. Please refer to the 
 hbase book 
 http://hbase.apache.org/book/security.html#hbase.secure.configuration
 Section 8.1.4 for more details.

 Thanks,
 Jimmy


On Sun, Aug 31, 2014 at 11:28 PM, Kashif Jawed Siddiqui kashi...@huawei.com
 wrote:

 Hi All,

 As per current implementation done for
 https://issues.apache.org/jira/i#browse/HBASE-11349  
 https://issues.apache.org/jira/i#browse/HBASE-11474 ,

 The authentication mechanism using  Kerberos principal for Thrift
 server with HBase is perfectly fine.



 But for clients communicating to HBase via thrift server does not
 handle the security mechanism.

 Any unauthenticated client can access HBase via thrift server. The
 thrift sever can act as a backdoor entry for skipping the security 
 authentication.

 It will be better if thrift clients can also be authenticated through
 some mechanism like Kerberos or IP restriction,etc



 Let us discuss on mechanism for thrift client authentication that can
 be implemented.



 **
 * This e-mail and attachments contain confidential
 information from HUAWEI, which is intended only for the person or
 entity whose address is listed above. Any use of the information
 contained herein in any way (including, but not limited to, total or
 partial disclosure, reproduction, or
 dissemination) by persons other than the intended recipient's) is
 prohibited. If you receive this e-mail in error, please notify the
 sender by phone or email immediately and delete it!