[GitHub] [hbase] joshelser commented on pull request #3934: HBASE-26553 OAuth Bearer authentication mech plugin for SASL
joshelser commented on pull request #3934: URL: https://github.com/apache/hbase/pull/3934#issuecomment-1007784888 Alright! I was actually able to test this out today using Knox. I think there are a couple of high level things we need to figure out * HBase clients will expect that renewals transparently happen. Either, we need a renewer thread in hbase to get a new bearer token before it expires (I think this is possible, but we'd have to know where to get the new one from). Otherwise, we'd have to think about usign the bearer token to get an hbase delegation token (which seems like too many tokens, tbh) * How will users provide the bearer token into their HBase client? Environment variable? Well-known file? * I tried enabling the RPC encryption from HBASE-16414 but regrettably can still see plaintext data going over the wire. Maybe that's just a bug in this patch, or maybe it's a bigger HBase SASL issue. Either way, we need encryption if we enable this auth'n feature. * I would like to see a standalone (no external service dependency) test included in hbase-examples, rather than just a client. However, I don't know of a JWT-providing server we could easily embedded into a test. Maybe knox could do this, or maybe nimbus has some testing server? * Need to get some additions to the hbase book. Now, given how big this patch is already, I think I'd suggest we work through these on a feature branch rather than try to do them in a single commit. WDYT, Andor? I think this approach would let us do some iteration more easily. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@hbase.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [hbase] joshelser commented on pull request #3934: HBASE-26553 OAuth Bearer authentication mech plugin for SASL
joshelser commented on pull request #3934: URL: https://github.com/apache/hbase/pull/3934#issuecomment-1007784888 Alright! I was actually able to test this out today using Knox. I think there are a couple of high level things we need to figure out * HBase clients will expect that renewals transparently happen. Either, we need a renewer thread in hbase to get a new bearer token before it expires (I think this is possible, but we'd have to know where to get the new one from). Otherwise, we'd have to think about usign the bearer token to get an hbase delegation token (which seems like too many tokens, tbh) * How will users provide the bearer token into their HBase client? Environment variable? Well-known file? * I tried enabling the RPC encryption from HBASE-16414 but regrettably can still see plaintext data going over the wire. Maybe that's just a bug in this patch, or maybe it's a bigger HBase SASL issue. Either way, we need encryption if we enable this auth'n feature. * I would like to see a standalone (no external service dependency) test included in hbase-examples, rather than just a client. However, I don't know of a JWT-providing server we could easily embedded into a test. Maybe knox could do this, or maybe nimbus has some testing server? * Need to get some additions to the hbase book. Now, given how big this patch is already, I think I'd suggest we work through these on a feature branch rather than try to do them in a single commit. WDYT, Andor? I think this approach would let us do some iteration more easily. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@hbase.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org