[jira] [Commented] (HBASE-23347) Pluggable RPC authentication
[
https://issues.apache.org/jira/browse/HBASE-23347?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17089710#comment-17089710
]
Josh Elser commented on HBASE-23347:
{quote}what about branch-2.2
{quote}
Not a target. We do not backport major changes to ongoing release branches as
encouragement to users to keep upgrading.
> Pluggable RPC authentication
>
>
> Key: HBASE-23347
> URL: https://issues.apache.org/jira/browse/HBASE-23347
> Project: HBase
> Issue Type: Improvement
> Components: rpc, security
>Reporter: Josh Elser
>Assignee: Josh Elser
>Priority: Major
> Fix For: 3.0.0, 2.3.0
>
>
> Today in HBase, we rely on SASL to implement Kerberos and delegation token
> authentication. The RPC client and server logic is very tightly coupled to
> our three authentication mechanism (the previously two mentioned plus simple
> auth'n) for no good reason (other than "that's how it was built", best as I
> can tell).
> SASL's function is to decouple the "application" from how a request is being
> authenticated, which means that, to support a variety of other authentication
> approaches, we just need to be a little more flexible in letting developers
> create their own authentication mechanism for HBase.
> This is less for the "average joe" user to write their own authentication
> plugin (eek), but more to allow us HBase developers to start iterating, see
> what is possible.
> I'll attach a full write-up on what I have today as to how I think we can add
> these abstractions, as well as an initial implementation of this idea, with a
> unit test that shows an end-to-end authentication solution against HBase.
> cc/ [~wchevreuil] as he's been working with me behind the scenes, giving lots
> of great feedback and support.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (HBASE-23347) Pluggable RPC authentication
[ https://issues.apache.org/jira/browse/HBASE-23347?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17089482#comment-17089482 ] Yechao Chen commented on HBASE-23347: - what about branch-2.2 > Pluggable RPC authentication > > > Key: HBASE-23347 > URL: https://issues.apache.org/jira/browse/HBASE-23347 > Project: HBase > Issue Type: Improvement > Components: rpc, security >Reporter: Josh Elser >Assignee: Josh Elser >Priority: Major > Fix For: 3.0.0, 2.3.0 > > > Today in HBase, we rely on SASL to implement Kerberos and delegation token > authentication. The RPC client and server logic is very tightly coupled to > our three authentication mechanism (the previously two mentioned plus simple > auth'n) for no good reason (other than "that's how it was built", best as I > can tell). > SASL's function is to decouple the "application" from how a request is being > authenticated, which means that, to support a variety of other authentication > approaches, we just need to be a little more flexible in letting developers > create their own authentication mechanism for HBase. > This is less for the "average joe" user to write their own authentication > plugin (eek), but more to allow us HBase developers to start iterating, see > what is possible. > I'll attach a full write-up on what I have today as to how I think we can add > these abstractions, as well as an initial implementation of this idea, with a > unit test that shows an end-to-end authentication solution against HBase. > cc/ [~wchevreuil] as he's been working with me behind the scenes, giving lots > of great feedback and support. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (HBASE-23347) Pluggable RPC authentication
[ https://issues.apache.org/jira/browse/HBASE-23347?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17089481#comment-17089481 ] Yechao Chen commented on HBASE-23347: - what about branch-2 ? [~elserj] > Pluggable RPC authentication > > > Key: HBASE-23347 > URL: https://issues.apache.org/jira/browse/HBASE-23347 > Project: HBase > Issue Type: Improvement > Components: rpc, security >Reporter: Josh Elser >Assignee: Josh Elser >Priority: Major > Fix For: 3.0.0, 2.3.0 > > > Today in HBase, we rely on SASL to implement Kerberos and delegation token > authentication. The RPC client and server logic is very tightly coupled to > our three authentication mechanism (the previously two mentioned plus simple > auth'n) for no good reason (other than "that's how it was built", best as I > can tell). > SASL's function is to decouple the "application" from how a request is being > authenticated, which means that, to support a variety of other authentication > approaches, we just need to be a little more flexible in letting developers > create their own authentication mechanism for HBase. > This is less for the "average joe" user to write their own authentication > plugin (eek), but more to allow us HBase developers to start iterating, see > what is possible. > I'll attach a full write-up on what I have today as to how I think we can add > these abstractions, as well as an initial implementation of this idea, with a > unit test that shows an end-to-end authentication solution against HBase. > cc/ [~wchevreuil] as he's been working with me behind the scenes, giving lots > of great feedback and support. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (HBASE-23347) Pluggable RPC authentication
[
https://issues.apache.org/jira/browse/HBASE-23347?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17021059#comment-17021059
]
Hudson commented on HBASE-23347:
Results for branch master
[build #1605 on
builds.a.o|https://builds.apache.org/job/HBase%20Nightly/job/master/1605/]: (x)
*{color:red}-1 overall{color}*
details (if available):
(/) {color:green}+1 general checks{color}
-- For more information [see general
report|https://builds.apache.org/job/HBase%20Nightly/job/master/1605//General_Nightly_Build_Report/]
(x) {color:red}-1 jdk8 hadoop2 checks{color}
-- For more information [see jdk8 (hadoop2)
report|https://builds.apache.org/job/HBase%20Nightly/job/master/1605//JDK8_Nightly_Build_Report_(Hadoop2)/]
(/) {color:green}+1 jdk8 hadoop3 checks{color}
-- For more information [see jdk8 (hadoop3)
report|https://builds.apache.org/job/HBase%20Nightly/job/master/1605//JDK8_Nightly_Build_Report_(Hadoop3)/]
(/) {color:green}+1 source release artifact{color}
-- See build output for details.
(/) {color:green}+1 client integration test{color}
> Pluggable RPC authentication
>
>
> Key: HBASE-23347
> URL: https://issues.apache.org/jira/browse/HBASE-23347
> Project: HBase
> Issue Type: Improvement
> Components: rpc, security
>Reporter: Josh Elser
>Assignee: Josh Elser
>Priority: Major
> Fix For: 3.0.0, 2.3.0
>
>
> Today in HBase, we rely on SASL to implement Kerberos and delegation token
> authentication. The RPC client and server logic is very tightly coupled to
> our three authentication mechanism (the previously two mentioned plus simple
> auth'n) for no good reason (other than "that's how it was built", best as I
> can tell).
> SASL's function is to decouple the "application" from how a request is being
> authenticated, which means that, to support a variety of other authentication
> approaches, we just need to be a little more flexible in letting developers
> create their own authentication mechanism for HBase.
> This is less for the "average joe" user to write their own authentication
> plugin (eek), but more to allow us HBase developers to start iterating, see
> what is possible.
> I'll attach a full write-up on what I have today as to how I think we can add
> these abstractions, as well as an initial implementation of this idea, with a
> unit test that shows an end-to-end authentication solution against HBase.
> cc/ [~wchevreuil] as he's been working with me behind the scenes, giving lots
> of great feedback and support.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (HBASE-23347) Pluggable RPC authentication
[
https://issues.apache.org/jira/browse/HBASE-23347?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17020668#comment-17020668
]
Hudson commented on HBASE-23347:
Results for branch branch-2
[build #2423 on
builds.a.o|https://builds.apache.org/job/HBase%20Nightly/job/branch-2/2423/]:
(x) *{color:red}-1 overall{color}*
details (if available):
(/) {color:green}+1 general checks{color}
-- For more information [see general
report|https://builds.apache.org/job/HBase%20Nightly/job/branch-2/2423//General_Nightly_Build_Report/]
(x) {color:red}-1 jdk8 hadoop2 checks{color}
-- For more information [see jdk8 (hadoop2)
report|https://builds.apache.org/job/HBase%20Nightly/job/branch-2/2423//JDK8_Nightly_Build_Report_(Hadoop2)/]
(x) {color:red}-1 jdk8 hadoop3 checks{color}
-- For more information [see jdk8 (hadoop3)
report|https://builds.apache.org/job/HBase%20Nightly/job/branch-2/2423//JDK8_Nightly_Build_Report_(Hadoop3)/]
(/) {color:green}+1 source release artifact{color}
-- See build output for details.
(/) {color:green}+1 client integration test{color}
> Pluggable RPC authentication
>
>
> Key: HBASE-23347
> URL: https://issues.apache.org/jira/browse/HBASE-23347
> Project: HBase
> Issue Type: Improvement
> Components: rpc, security
>Reporter: Josh Elser
>Assignee: Josh Elser
>Priority: Major
> Fix For: 3.0.0, 2.3.0
>
>
> Today in HBase, we rely on SASL to implement Kerberos and delegation token
> authentication. The RPC client and server logic is very tightly coupled to
> our three authentication mechanism (the previously two mentioned plus simple
> auth'n) for no good reason (other than "that's how it was built", best as I
> can tell).
> SASL's function is to decouple the "application" from how a request is being
> authenticated, which means that, to support a variety of other authentication
> approaches, we just need to be a little more flexible in letting developers
> create their own authentication mechanism for HBase.
> This is less for the "average joe" user to write their own authentication
> plugin (eek), but more to allow us HBase developers to start iterating, see
> what is possible.
> I'll attach a full write-up on what I have today as to how I think we can add
> these abstractions, as well as an initial implementation of this idea, with a
> unit test that shows an end-to-end authentication solution against HBase.
> cc/ [~wchevreuil] as he's been working with me behind the scenes, giving lots
> of great feedback and support.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (HBASE-23347) Pluggable RPC authentication
[ https://issues.apache.org/jira/browse/HBASE-23347?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17019203#comment-17019203 ] Guanghao Zhang commented on HBASE-23347: TestThriftSpnegoHttpFallbackServer and TestSecureRESTServer failed. May releated to this issue. > Pluggable RPC authentication > > > Key: HBASE-23347 > URL: https://issues.apache.org/jira/browse/HBASE-23347 > Project: HBase > Issue Type: Improvement > Components: rpc, security >Reporter: Josh Elser >Assignee: Josh Elser >Priority: Major > Fix For: 3.0.0, 2.3.0 > > > Today in HBase, we rely on SASL to implement Kerberos and delegation token > authentication. The RPC client and server logic is very tightly coupled to > our three authentication mechanism (the previously two mentioned plus simple > auth'n) for no good reason (other than "that's how it was built", best as I > can tell). > SASL's function is to decouple the "application" from how a request is being > authenticated, which means that, to support a variety of other authentication > approaches, we just need to be a little more flexible in letting developers > create their own authentication mechanism for HBase. > This is less for the "average joe" user to write their own authentication > plugin (eek), but more to allow us HBase developers to start iterating, see > what is possible. > I'll attach a full write-up on what I have today as to how I think we can add > these abstractions, as well as an initial implementation of this idea, with a > unit test that shows an end-to-end authentication solution against HBase. > cc/ [~wchevreuil] as he's been working with me behind the scenes, giving lots > of great feedback and support. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (HBASE-23347) Pluggable RPC authentication
[
https://issues.apache.org/jira/browse/HBASE-23347?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17017981#comment-17017981
]
Hudson commented on HBASE-23347:
Results for branch master
[build #1600 on
builds.a.o|https://builds.apache.org/job/HBase%20Nightly/job/master/1600/]: (x)
*{color:red}-1 overall{color}*
details (if available):
(x) {color:red}-1 general checks{color}
-- For more information [see general
report|https://builds.apache.org/job/HBase%20Nightly/job/master/1600//General_Nightly_Build_Report/]
(x) {color:red}-1 jdk8 hadoop2 checks{color}
-- For more information [see jdk8 (hadoop2)
report|https://builds.apache.org/job/HBase%20Nightly/job/master/1600//JDK8_Nightly_Build_Report_(Hadoop2)/]
(x) {color:red}-1 jdk8 hadoop3 checks{color}
-- For more information [see jdk8 (hadoop3)
report|https://builds.apache.org/job/HBase%20Nightly/job/master/1600//JDK8_Nightly_Build_Report_(Hadoop3)/]
(/) {color:green}+1 source release artifact{color}
-- See build output for details.
(/) {color:green}+1 client integration test{color}
> Pluggable RPC authentication
>
>
> Key: HBASE-23347
> URL: https://issues.apache.org/jira/browse/HBASE-23347
> Project: HBase
> Issue Type: Improvement
> Components: rpc, security
>Reporter: Josh Elser
>Assignee: Josh Elser
>Priority: Major
> Fix For: 3.0.0, 2.3.0
>
>
> Today in HBase, we rely on SASL to implement Kerberos and delegation token
> authentication. The RPC client and server logic is very tightly coupled to
> our three authentication mechanism (the previously two mentioned plus simple
> auth'n) for no good reason (other than "that's how it was built", best as I
> can tell).
> SASL's function is to decouple the "application" from how a request is being
> authenticated, which means that, to support a variety of other authentication
> approaches, we just need to be a little more flexible in letting developers
> create their own authentication mechanism for HBase.
> This is less for the "average joe" user to write their own authentication
> plugin (eek), but more to allow us HBase developers to start iterating, see
> what is possible.
> I'll attach a full write-up on what I have today as to how I think we can add
> these abstractions, as well as an initial implementation of this idea, with a
> unit test that shows an end-to-end authentication solution against HBase.
> cc/ [~wchevreuil] as he's been working with me behind the scenes, giving lots
> of great feedback and support.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (HBASE-23347) Pluggable RPC authentication
[
https://issues.apache.org/jira/browse/HBASE-23347?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17017707#comment-17017707
]
Hudson commented on HBASE-23347:
Results for branch branch-2
[build #2418 on
builds.a.o|https://builds.apache.org/job/HBase%20Nightly/job/branch-2/2418/]:
(x) *{color:red}-1 overall{color}*
details (if available):
(x) {color:red}-1 general checks{color}
-- For more information [see general
report|https://builds.apache.org/job/HBase%20Nightly/job/branch-2/2418//General_Nightly_Build_Report/]
(x) {color:red}-1 jdk8 hadoop2 checks{color}
-- For more information [see jdk8 (hadoop2)
report|https://builds.apache.org/job/HBase%20Nightly/job/branch-2/2418//JDK8_Nightly_Build_Report_(Hadoop2)/]
(x) {color:red}-1 jdk8 hadoop3 checks{color}
-- For more information [see jdk8 (hadoop3)
report|https://builds.apache.org/job/HBase%20Nightly/job/branch-2/2418//JDK8_Nightly_Build_Report_(Hadoop3)/]
(/) {color:green}+1 source release artifact{color}
-- See build output for details.
(/) {color:green}+1 client integration test{color}
> Pluggable RPC authentication
>
>
> Key: HBASE-23347
> URL: https://issues.apache.org/jira/browse/HBASE-23347
> Project: HBase
> Issue Type: Improvement
> Components: rpc, security
>Reporter: Josh Elser
>Assignee: Josh Elser
>Priority: Major
> Fix For: 3.0.0, 2.3.0
>
>
> Today in HBase, we rely on SASL to implement Kerberos and delegation token
> authentication. The RPC client and server logic is very tightly coupled to
> our three authentication mechanism (the previously two mentioned plus simple
> auth'n) for no good reason (other than "that's how it was built", best as I
> can tell).
> SASL's function is to decouple the "application" from how a request is being
> authenticated, which means that, to support a variety of other authentication
> approaches, we just need to be a little more flexible in letting developers
> create their own authentication mechanism for HBase.
> This is less for the "average joe" user to write their own authentication
> plugin (eek), but more to allow us HBase developers to start iterating, see
> what is possible.
> I'll attach a full write-up on what I have today as to how I think we can add
> these abstractions, as well as an initial implementation of this idea, with a
> unit test that shows an end-to-end authentication solution against HBase.
> cc/ [~wchevreuil] as he's been working with me behind the scenes, giving lots
> of great feedback and support.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (HBASE-23347) Pluggable RPC authentication
[ https://issues.apache.org/jira/browse/HBASE-23347?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17017280#comment-17017280 ] Josh Elser commented on HBASE-23347: [~zhangduo], are you interested in this landing onto branch-2.2? While there should be no outward impact on users, it struck me as too "big" of a change for maintenance releases. Curious what you think. Thanks. > Pluggable RPC authentication > > > Key: HBASE-23347 > URL: https://issues.apache.org/jira/browse/HBASE-23347 > Project: HBase > Issue Type: Improvement > Components: rpc, security >Reporter: Josh Elser >Assignee: Josh Elser >Priority: Major > Fix For: 3.0.0, 2.3.0 > > > Today in HBase, we rely on SASL to implement Kerberos and delegation token > authentication. The RPC client and server logic is very tightly coupled to > our three authentication mechanism (the previously two mentioned plus simple > auth'n) for no good reason (other than "that's how it was built", best as I > can tell). > SASL's function is to decouple the "application" from how a request is being > authenticated, which means that, to support a variety of other authentication > approaches, we just need to be a little more flexible in letting developers > create their own authentication mechanism for HBase. > This is less for the "average joe" user to write their own authentication > plugin (eek), but more to allow us HBase developers to start iterating, see > what is possible. > I'll attach a full write-up on what I have today as to how I think we can add > these abstractions, as well as an initial implementation of this idea, with a > unit test that shows an end-to-end authentication solution against HBase. > cc/ [~wchevreuil] as he's been working with me behind the scenes, giving lots > of great feedback and support. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (HBASE-23347) Pluggable RPC authentication
[ https://issues.apache.org/jira/browse/HBASE-23347?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16994875#comment-16994875 ] Josh Elser commented on HBASE-23347: Thanks Reid! Will wait for ya. > Pluggable RPC authentication > > > Key: HBASE-23347 > URL: https://issues.apache.org/jira/browse/HBASE-23347 > Project: HBase > Issue Type: Improvement > Components: rpc, security >Reporter: Josh Elser >Assignee: Josh Elser >Priority: Major > Fix For: 3.0.0 > > > Today in HBase, we rely on SASL to implement Kerberos and delegation token > authentication. The RPC client and server logic is very tightly coupled to > our three authentication mechanism (the previously two mentioned plus simple > auth'n) for no good reason (other than "that's how it was built", best as I > can tell). > SASL's function is to decouple the "application" from how a request is being > authenticated, which means that, to support a variety of other authentication > approaches, we just need to be a little more flexible in letting developers > create their own authentication mechanism for HBase. > This is less for the "average joe" user to write their own authentication > plugin (eek), but more to allow us HBase developers to start iterating, see > what is possible. > I'll attach a full write-up on what I have today as to how I think we can add > these abstractions, as well as an initial implementation of this idea, with a > unit test that shows an end-to-end authentication solution against HBase. > cc/ [~wchevreuil] as he's been working with me behind the scenes, giving lots > of great feedback and support. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (HBASE-23347) Pluggable RPC authentication
[ https://issues.apache.org/jira/browse/HBASE-23347?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16994150#comment-16994150 ] Reid Chan commented on HBASE-23347: --- Left few comments in pr, but i haven't finished server-side impl yet. Will be back! > Pluggable RPC authentication > > > Key: HBASE-23347 > URL: https://issues.apache.org/jira/browse/HBASE-23347 > Project: HBase > Issue Type: Improvement > Components: rpc, security >Reporter: Josh Elser >Assignee: Josh Elser >Priority: Major > Fix For: 3.0.0 > > > Today in HBase, we rely on SASL to implement Kerberos and delegation token > authentication. The RPC client and server logic is very tightly coupled to > our three authentication mechanism (the previously two mentioned plus simple > auth'n) for no good reason (other than "that's how it was built", best as I > can tell). > SASL's function is to decouple the "application" from how a request is being > authenticated, which means that, to support a variety of other authentication > approaches, we just need to be a little more flexible in letting developers > create their own authentication mechanism for HBase. > This is less for the "average joe" user to write their own authentication > plugin (eek), but more to allow us HBase developers to start iterating, see > what is possible. > I'll attach a full write-up on what I have today as to how I think we can add > these abstractions, as well as an initial implementation of this idea, with a > unit test that shows an end-to-end authentication solution against HBase. > cc/ [~wchevreuil] as he's been working with me behind the scenes, giving lots > of great feedback and support. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (HBASE-23347) Pluggable RPC authentication
[ https://issues.apache.org/jira/browse/HBASE-23347?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16990174#comment-16990174 ] Josh Elser commented on HBASE-23347: Sorry 'bout that, Reid! See [https://github.com/joshelser/hbase/blob/23347-pluggable-authentication/dev-support/design-docs/HBASE-23347-pluggable-authentication.md]. I moved it in with the other design docs after Busbey mentioned they were there :) Happy to get your feedback if you have the cycles. > Pluggable RPC authentication > > > Key: HBASE-23347 > URL: https://issues.apache.org/jira/browse/HBASE-23347 > Project: HBase > Issue Type: Improvement > Components: rpc, security >Reporter: Josh Elser >Assignee: Josh Elser >Priority: Major > Fix For: 3.0.0 > > > Today in HBase, we rely on SASL to implement Kerberos and delegation token > authentication. The RPC client and server logic is very tightly coupled to > our three authentication mechanism (the previously two mentioned plus simple > auth'n) for no good reason (other than "that's how it was built", best as I > can tell). > SASL's function is to decouple the "application" from how a request is being > authenticated, which means that, to support a variety of other authentication > approaches, we just need to be a little more flexible in letting developers > create their own authentication mechanism for HBase. > This is less for the "average joe" user to write their own authentication > plugin (eek), but more to allow us HBase developers to start iterating, see > what is possible. > I'll attach a full write-up on what I have today as to how I think we can add > these abstractions, as well as an initial implementation of this idea, with a > unit test that shows an end-to-end authentication solution against HBase. > cc/ [~wchevreuil] as he's been working with me behind the scenes, giving lots > of great feedback and support. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (HBASE-23347) Pluggable RPC authentication
[ https://issues.apache.org/jira/browse/HBASE-23347?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16989521#comment-16989521 ] Reid Chan commented on HBASE-23347: --- This is 404 [https://github.com/joshelser/hbase/blob/23347-pluggable-authentication/PluggableRpcAuthentication.md], expecting update. I'm a fan of this idea(y), but it may takes some time to go through. > Pluggable RPC authentication > > > Key: HBASE-23347 > URL: https://issues.apache.org/jira/browse/HBASE-23347 > Project: HBase > Issue Type: Improvement > Components: rpc, security >Reporter: Josh Elser >Assignee: Josh Elser >Priority: Major > Fix For: 3.0.0 > > > Today in HBase, we rely on SASL to implement Kerberos and delegation token > authentication. The RPC client and server logic is very tightly coupled to > our three authentication mechanism (the previously two mentioned plus simple > auth'n) for no good reason (other than "that's how it was built", best as I > can tell). > SASL's function is to decouple the "application" from how a request is being > authenticated, which means that, to support a variety of other authentication > approaches, we just need to be a little more flexible in letting developers > create their own authentication mechanism for HBase. > This is less for the "average joe" user to write their own authentication > plugin (eek), but more to allow us HBase developers to start iterating, see > what is possible. > I'll attach a full write-up on what I have today as to how I think we can add > these abstractions, as well as an initial implementation of this idea, with a > unit test that shows an end-to-end authentication solution against HBase. > cc/ [~wchevreuil] as he's been working with me behind the scenes, giving lots > of great feedback and support. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (HBASE-23347) Pluggable RPC authentication
[
https://issues.apache.org/jira/browse/HBASE-23347?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16984038#comment-16984038
]
Josh Elser commented on HBASE-23347:
Copying from the pull-request:
{quote}
This is a big one. Sorry ;)
Start here with a one-page writeup:
[https://github.com/joshelser/hbase/blob/23347-pluggable-authentication/PluggableRpcAuthentication.md]
Next, look at the client side interfaces:
[https://github.com/joshelser/hbase/tree/23347-pluggable-authentication/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider]
Then, the server side interfaces:
[https://github.com/joshelser/hbase/tree/23347-pluggable-authentication/hbase-server/src/main/java/org/apache/hadoop/hbase/security/provider]
Finally, an end-to-end example of how you can use this:
[https://github.com/joshelser/hbase/blob/23347-pluggable-authentication/hbase-server/src/test/java/org/apache/hadoop/hbase/security/provider/TestCustomSaslAuthenticationProvider.java]
This is very-much a first draft. This is "new art" for HBase and I expect some
discussion on how we want to safely do this. I'm fully expecting lots of
revisions.
Relevant tests should be passing, but this is also partially for me to let
QA-bot run. Everything I did was in attempts to retain backwards compatibility
with older clients, as well as RPC-impl compatibility. This should all be
implementation-details inside of HBase.
{quote}
> Pluggable RPC authentication
>
>
> Key: HBASE-23347
> URL: https://issues.apache.org/jira/browse/HBASE-23347
> Project: HBase
> Issue Type: Improvement
> Components: rpc, security
>Reporter: Josh Elser
>Assignee: Josh Elser
>Priority: Major
> Fix For: 3.0.0
>
>
> Today in HBase, we rely on SASL to implement Kerberos and delegation token
> authentication. The RPC client and server logic is very tightly coupled to
> our three authentication mechanism (the previously two mentioned plus simple
> auth'n) for no good reason (other than "that's how it was built", best as I
> can tell).
> SASL's function is to decouple the "application" from how a request is being
> authenticated, which means that, to support a variety of other authentication
> approaches, we just need to be a little more flexible in letting developers
> create their own authentication mechanism for HBase.
> This is less for the "average joe" user to write their own authentication
> plugin (eek), but more to allow us HBase developers to start iterating, see
> what is possible.
> I'll attach a full write-up on what I have today as to how I think we can add
> these abstractions, as well as an initial implementation of this idea, with a
> unit test that shows an end-to-end authentication solution against HBase.
> cc/ [~wchevreuil] as he's been working with me behind the scenes, giving lots
> of great feedback and support.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
