[jira] [Commented] (HBASE-5291) Add Kerberos HTTP SPNEGO authentication support to HBase web consoles
[ https://issues.apache.org/jira/browse/HBASE-5291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16182603#comment-16182603 ] Lars George commented on HBASE-5291: [~mantonov] It looks like this was also committed to 1.3. Should we update the JIRAs fix versions? > Add Kerberos HTTP SPNEGO authentication support to HBase web consoles > - > > Key: HBASE-5291 > URL: https://issues.apache.org/jira/browse/HBASE-5291 > Project: HBase > Issue Type: Improvement > Components: master, regionserver, security >Reporter: Andrew Purtell >Assignee: Josh Elser > Fix For: 2.0.0, 1.4.0 > > Attachments: 5291-addendum.2, HBASE-5291.001.patch, > HBASE-5291.002.patch, HBASE-5291.003.patch, HBASE-5291.004.patch, > HBASE-5291.005-0.98.patch, HBASE-5291.005-branch-1.patch, > HBASE-5291.005.patch, HBASE-5291-addendum.patch > > > Like HADOOP-7119, the same motivations: > {quote} > Hadoop RPC already supports Kerberos authentication. > {quote} > As does the HBase secure RPC engine. > {quote} > Kerberos enables single sign-on. > Popular browsers (Firefox and Internet Explorer) have support for Kerberos > HTTP SPNEGO. > Adding support for Kerberos HTTP SPNEGO to [HBase] web consoles would provide > a unified authentication mechanism and single sign-on for web UI and RPC. > {quote} > Also like HADOOP-7119, the same solution: > A servlet filter is configured in front of all Hadoop web consoles for > authentication. > This filter verifies if the incoming request is already authenticated by the > presence of a signed HTTP cookie. If the cookie is present, its signature is > valid and its value didn't expire; then the request continues its way to the > page invoked by the request. If the cookie is not present, it is invalid or > it expired; then the request is delegated to an authenticator handler. The > authenticator handler then is responsible for requesting/validating the > user-agent for the user credentials. This may require one or more additional > interactions between the authenticator handler and the user-agent (which will > be multiple HTTP requests). Once the authenticator handler verifies the > credentials and generates an authentication token, a signed cookie is > returned to the user-agent for all subsequent invocations. > The authenticator handler is pluggable and 2 implementations are provided out > of the box: pseudo/simple and kerberos. > 1. The pseudo/simple authenticator handler is equivalent to the Hadoop > pseudo/simple authentication. It trusts the value of the user.name query > string parameter. The pseudo/simple authenticator handler supports an > anonymous mode which accepts any request without requiring the user.name > query string parameter to create the token. This is the default behavior, > preserving the behavior of the HBase web consoles before this patch. > 2. The kerberos authenticator handler implements the Kerberos HTTP SPNEGO > implementation. This authenticator handler will generate a token only if a > successful Kerberos HTTP SPNEGO interaction is performed between the > user-agent and the authenticator. Browsers like Firefox and Internet Explorer > support Kerberos HTTP SPNEGO. > We can build on the support added to Hadoop via HADOOP-7119. Should just be a > matter of wiring up the filter to our infoservers in a similar manner. > And from > https://issues.apache.org/jira/browse/HBASE-5050?focusedCommentId=13171086=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13171086 > {quote} > Hadoop 0.23 onwards has a hadoop-auth artifact that provides SPNEGO/Kerberos > authentication for webapps via a filter. You should consider using it. You > don't have to move Hbase to 0.23 for that, just consume the hadoop-auth > artifact, which has no dependencies on the rest of Hadoop 0.23 artifacts. > {quote} -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (HBASE-5291) Add Kerberos HTTP SPNEGO authentication support to HBase web consoles
[ https://issues.apache.org/jira/browse/HBASE-5291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15335454#comment-15335454 ] Hudson commented on HBASE-5291: --- FAILURE: Integrated in HBase-1.4 #220 (See [https://builds.apache.org/job/HBase-1.4/220/]) HBASE-5291 Addendum 2 passes correct path to deleteRecursively (tedyu: rev 45a0fc531a3d35edc78e9c60ef93bc7538cf4b30) * hbase-server/src/test/java/org/apache/hadoop/hbase/http/HttpServerFunctionalTest.java > Add Kerberos HTTP SPNEGO authentication support to HBase web consoles > - > > Key: HBASE-5291 > URL: https://issues.apache.org/jira/browse/HBASE-5291 > Project: HBase > Issue Type: Improvement > Components: master, regionserver, security >Reporter: Andrew Purtell >Assignee: Josh Elser > Fix For: 2.0.0, 1.4.0 > > Attachments: 5291-addendum.2, HBASE-5291-addendum.patch, > HBASE-5291.001.patch, HBASE-5291.002.patch, HBASE-5291.003.patch, > HBASE-5291.004.patch, HBASE-5291.005-0.98.patch, > HBASE-5291.005-branch-1.patch, HBASE-5291.005.patch > > > Like HADOOP-7119, the same motivations: > {quote} > Hadoop RPC already supports Kerberos authentication. > {quote} > As does the HBase secure RPC engine. > {quote} > Kerberos enables single sign-on. > Popular browsers (Firefox and Internet Explorer) have support for Kerberos > HTTP SPNEGO. > Adding support for Kerberos HTTP SPNEGO to [HBase] web consoles would provide > a unified authentication mechanism and single sign-on for web UI and RPC. > {quote} > Also like HADOOP-7119, the same solution: > A servlet filter is configured in front of all Hadoop web consoles for > authentication. > This filter verifies if the incoming request is already authenticated by the > presence of a signed HTTP cookie. If the cookie is present, its signature is > valid and its value didn't expire; then the request continues its way to the > page invoked by the request. If the cookie is not present, it is invalid or > it expired; then the request is delegated to an authenticator handler. The > authenticator handler then is responsible for requesting/validating the > user-agent for the user credentials. This may require one or more additional > interactions between the authenticator handler and the user-agent (which will > be multiple HTTP requests). Once the authenticator handler verifies the > credentials and generates an authentication token, a signed cookie is > returned to the user-agent for all subsequent invocations. > The authenticator handler is pluggable and 2 implementations are provided out > of the box: pseudo/simple and kerberos. > 1. The pseudo/simple authenticator handler is equivalent to the Hadoop > pseudo/simple authentication. It trusts the value of the user.name query > string parameter. The pseudo/simple authenticator handler supports an > anonymous mode which accepts any request without requiring the user.name > query string parameter to create the token. This is the default behavior, > preserving the behavior of the HBase web consoles before this patch. > 2. The kerberos authenticator handler implements the Kerberos HTTP SPNEGO > implementation. This authenticator handler will generate a token only if a > successful Kerberos HTTP SPNEGO interaction is performed between the > user-agent and the authenticator. Browsers like Firefox and Internet Explorer > support Kerberos HTTP SPNEGO. > We can build on the support added to Hadoop via HADOOP-7119. Should just be a > matter of wiring up the filter to our infoservers in a similar manner. > And from > https://issues.apache.org/jira/browse/HBASE-5050?focusedCommentId=13171086=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13171086 > {quote} > Hadoop 0.23 onwards has a hadoop-auth artifact that provides SPNEGO/Kerberos > authentication for webapps via a filter. You should consider using it. You > don't have to move Hbase to 0.23 for that, just consume the hadoop-auth > artifact, which has no dependencies on the rest of Hadoop 0.23 artifacts. > {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-5291) Add Kerberos HTTP SPNEGO authentication support to HBase web consoles
[ https://issues.apache.org/jira/browse/HBASE-5291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15335312#comment-15335312 ] Hudson commented on HBASE-5291: --- FAILURE: Integrated in HBase-Trunk_matrix #1061 (See [https://builds.apache.org/job/HBase-Trunk_matrix/1061/]) HBASE-5291 Addendum 2 passes correct path to deleteRecursively (tedyu: rev 6d0e0e3721fd7a0c020ce5c746c9369cb4220393) * hbase-server/src/test/java/org/apache/hadoop/hbase/http/HttpServerFunctionalTest.java > Add Kerberos HTTP SPNEGO authentication support to HBase web consoles > - > > Key: HBASE-5291 > URL: https://issues.apache.org/jira/browse/HBASE-5291 > Project: HBase > Issue Type: Improvement > Components: master, regionserver, security >Reporter: Andrew Purtell >Assignee: Josh Elser > Fix For: 2.0.0, 1.4.0 > > Attachments: 5291-addendum.2, HBASE-5291-addendum.patch, > HBASE-5291.001.patch, HBASE-5291.002.patch, HBASE-5291.003.patch, > HBASE-5291.004.patch, HBASE-5291.005-0.98.patch, > HBASE-5291.005-branch-1.patch, HBASE-5291.005.patch > > > Like HADOOP-7119, the same motivations: > {quote} > Hadoop RPC already supports Kerberos authentication. > {quote} > As does the HBase secure RPC engine. > {quote} > Kerberos enables single sign-on. > Popular browsers (Firefox and Internet Explorer) have support for Kerberos > HTTP SPNEGO. > Adding support for Kerberos HTTP SPNEGO to [HBase] web consoles would provide > a unified authentication mechanism and single sign-on for web UI and RPC. > {quote} > Also like HADOOP-7119, the same solution: > A servlet filter is configured in front of all Hadoop web consoles for > authentication. > This filter verifies if the incoming request is already authenticated by the > presence of a signed HTTP cookie. If the cookie is present, its signature is > valid and its value didn't expire; then the request continues its way to the > page invoked by the request. If the cookie is not present, it is invalid or > it expired; then the request is delegated to an authenticator handler. The > authenticator handler then is responsible for requesting/validating the > user-agent for the user credentials. This may require one or more additional > interactions between the authenticator handler and the user-agent (which will > be multiple HTTP requests). Once the authenticator handler verifies the > credentials and generates an authentication token, a signed cookie is > returned to the user-agent for all subsequent invocations. > The authenticator handler is pluggable and 2 implementations are provided out > of the box: pseudo/simple and kerberos. > 1. The pseudo/simple authenticator handler is equivalent to the Hadoop > pseudo/simple authentication. It trusts the value of the user.name query > string parameter. The pseudo/simple authenticator handler supports an > anonymous mode which accepts any request without requiring the user.name > query string parameter to create the token. This is the default behavior, > preserving the behavior of the HBase web consoles before this patch. > 2. The kerberos authenticator handler implements the Kerberos HTTP SPNEGO > implementation. This authenticator handler will generate a token only if a > successful Kerberos HTTP SPNEGO interaction is performed between the > user-agent and the authenticator. Browsers like Firefox and Internet Explorer > support Kerberos HTTP SPNEGO. > We can build on the support added to Hadoop via HADOOP-7119. Should just be a > matter of wiring up the filter to our infoservers in a similar manner. > And from > https://issues.apache.org/jira/browse/HBASE-5050?focusedCommentId=13171086=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13171086 > {quote} > Hadoop 0.23 onwards has a hadoop-auth artifact that provides SPNEGO/Kerberos > authentication for webapps via a filter. You should consider using it. You > don't have to move Hbase to 0.23 for that, just consume the hadoop-auth > artifact, which has no dependencies on the rest of Hadoop 0.23 artifacts. > {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-5291) Add Kerberos HTTP SPNEGO authentication support to HBase web consoles
[ https://issues.apache.org/jira/browse/HBASE-5291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15335240#comment-15335240 ] Josh Elser commented on HBASE-5291: --- bq. I see the config property issue was fixed with the addendum patch Yep, you got it. bq. It doesn't look like you have sub directories where this is called in the tests though. It's called on a parent directory, but you're right in that there are no directories contained in that directory. > Add Kerberos HTTP SPNEGO authentication support to HBase web consoles > - > > Key: HBASE-5291 > URL: https://issues.apache.org/jira/browse/HBASE-5291 > Project: HBase > Issue Type: Improvement > Components: master, regionserver, security >Reporter: Andrew Purtell >Assignee: Josh Elser > Fix For: 2.0.0, 1.4.0 > > Attachments: 5291-addendum.2, HBASE-5291-addendum.patch, > HBASE-5291.001.patch, HBASE-5291.002.patch, HBASE-5291.003.patch, > HBASE-5291.004.patch, HBASE-5291.005-0.98.patch, > HBASE-5291.005-branch-1.patch, HBASE-5291.005.patch > > > Like HADOOP-7119, the same motivations: > {quote} > Hadoop RPC already supports Kerberos authentication. > {quote} > As does the HBase secure RPC engine. > {quote} > Kerberos enables single sign-on. > Popular browsers (Firefox and Internet Explorer) have support for Kerberos > HTTP SPNEGO. > Adding support for Kerberos HTTP SPNEGO to [HBase] web consoles would provide > a unified authentication mechanism and single sign-on for web UI and RPC. > {quote} > Also like HADOOP-7119, the same solution: > A servlet filter is configured in front of all Hadoop web consoles for > authentication. > This filter verifies if the incoming request is already authenticated by the > presence of a signed HTTP cookie. If the cookie is present, its signature is > valid and its value didn't expire; then the request continues its way to the > page invoked by the request. If the cookie is not present, it is invalid or > it expired; then the request is delegated to an authenticator handler. The > authenticator handler then is responsible for requesting/validating the > user-agent for the user credentials. This may require one or more additional > interactions between the authenticator handler and the user-agent (which will > be multiple HTTP requests). Once the authenticator handler verifies the > credentials and generates an authentication token, a signed cookie is > returned to the user-agent for all subsequent invocations. > The authenticator handler is pluggable and 2 implementations are provided out > of the box: pseudo/simple and kerberos. > 1. The pseudo/simple authenticator handler is equivalent to the Hadoop > pseudo/simple authentication. It trusts the value of the user.name query > string parameter. The pseudo/simple authenticator handler supports an > anonymous mode which accepts any request without requiring the user.name > query string parameter to create the token. This is the default behavior, > preserving the behavior of the HBase web consoles before this patch. > 2. The kerberos authenticator handler implements the Kerberos HTTP SPNEGO > implementation. This authenticator handler will generate a token only if a > successful Kerberos HTTP SPNEGO interaction is performed between the > user-agent and the authenticator. Browsers like Firefox and Internet Explorer > support Kerberos HTTP SPNEGO. > We can build on the support added to Hadoop via HADOOP-7119. Should just be a > matter of wiring up the filter to our infoservers in a similar manner. > And from > https://issues.apache.org/jira/browse/HBASE-5050?focusedCommentId=13171086=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13171086 > {quote} > Hadoop 0.23 onwards has a hadoop-auth artifact that provides SPNEGO/Kerberos > authentication for webapps via a filter. You should consider using it. You > don't have to move Hbase to 0.23 for that, just consume the hadoop-auth > artifact, which has no dependencies on the rest of Hadoop 0.23 artifacts. > {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-5291) Add Kerberos HTTP SPNEGO authentication support to HBase web consoles
[ https://issues.apache.org/jira/browse/HBASE-5291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15335014#comment-15335014 ] Gary Helmling commented on HBASE-5291: -- +1 on addendum 2. > Add Kerberos HTTP SPNEGO authentication support to HBase web consoles > - > > Key: HBASE-5291 > URL: https://issues.apache.org/jira/browse/HBASE-5291 > Project: HBase > Issue Type: Improvement > Components: master, regionserver, security >Reporter: Andrew Purtell >Assignee: Josh Elser > Fix For: 2.0.0, 1.4.0 > > Attachments: 5291-addendum.2, HBASE-5291-addendum.patch, > HBASE-5291.001.patch, HBASE-5291.002.patch, HBASE-5291.003.patch, > HBASE-5291.004.patch, HBASE-5291.005-0.98.patch, > HBASE-5291.005-branch-1.patch, HBASE-5291.005.patch > > > Like HADOOP-7119, the same motivations: > {quote} > Hadoop RPC already supports Kerberos authentication. > {quote} > As does the HBase secure RPC engine. > {quote} > Kerberos enables single sign-on. > Popular browsers (Firefox and Internet Explorer) have support for Kerberos > HTTP SPNEGO. > Adding support for Kerberos HTTP SPNEGO to [HBase] web consoles would provide > a unified authentication mechanism and single sign-on for web UI and RPC. > {quote} > Also like HADOOP-7119, the same solution: > A servlet filter is configured in front of all Hadoop web consoles for > authentication. > This filter verifies if the incoming request is already authenticated by the > presence of a signed HTTP cookie. If the cookie is present, its signature is > valid and its value didn't expire; then the request continues its way to the > page invoked by the request. If the cookie is not present, it is invalid or > it expired; then the request is delegated to an authenticator handler. The > authenticator handler then is responsible for requesting/validating the > user-agent for the user credentials. This may require one or more additional > interactions between the authenticator handler and the user-agent (which will > be multiple HTTP requests). Once the authenticator handler verifies the > credentials and generates an authentication token, a signed cookie is > returned to the user-agent for all subsequent invocations. > The authenticator handler is pluggable and 2 implementations are provided out > of the box: pseudo/simple and kerberos. > 1. The pseudo/simple authenticator handler is equivalent to the Hadoop > pseudo/simple authentication. It trusts the value of the user.name query > string parameter. The pseudo/simple authenticator handler supports an > anonymous mode which accepts any request without requiring the user.name > query string parameter to create the token. This is the default behavior, > preserving the behavior of the HBase web consoles before this patch. > 2. The kerberos authenticator handler implements the Kerberos HTTP SPNEGO > implementation. This authenticator handler will generate a token only if a > successful Kerberos HTTP SPNEGO interaction is performed between the > user-agent and the authenticator. Browsers like Firefox and Internet Explorer > support Kerberos HTTP SPNEGO. > We can build on the support added to Hadoop via HADOOP-7119. Should just be a > matter of wiring up the filter to our infoservers in a similar manner. > And from > https://issues.apache.org/jira/browse/HBASE-5050?focusedCommentId=13171086=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13171086 > {quote} > Hadoop 0.23 onwards has a hadoop-auth artifact that provides SPNEGO/Kerberos > authentication for webapps via a filter. You should consider using it. You > don't have to move Hbase to 0.23 for that, just consume the hadoop-auth > artifact, which has no dependencies on the rest of Hadoop 0.23 artifacts. > {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-5291) Add Kerberos HTTP SPNEGO authentication support to HBase web consoles
[ https://issues.apache.org/jira/browse/HBASE-5291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15334960#comment-15334960 ] Ted Yu commented on HBASE-5291: --- Addendum was committed to both branches. > Add Kerberos HTTP SPNEGO authentication support to HBase web consoles > - > > Key: HBASE-5291 > URL: https://issues.apache.org/jira/browse/HBASE-5291 > Project: HBase > Issue Type: Improvement > Components: master, regionserver, security >Reporter: Andrew Purtell >Assignee: Josh Elser > Fix For: 2.0.0, 1.4.0 > > Attachments: HBASE-5291-addendum.patch, HBASE-5291.001.patch, > HBASE-5291.002.patch, HBASE-5291.003.patch, HBASE-5291.004.patch, > HBASE-5291.005-0.98.patch, HBASE-5291.005-branch-1.patch, HBASE-5291.005.patch > > > Like HADOOP-7119, the same motivations: > {quote} > Hadoop RPC already supports Kerberos authentication. > {quote} > As does the HBase secure RPC engine. > {quote} > Kerberos enables single sign-on. > Popular browsers (Firefox and Internet Explorer) have support for Kerberos > HTTP SPNEGO. > Adding support for Kerberos HTTP SPNEGO to [HBase] web consoles would provide > a unified authentication mechanism and single sign-on for web UI and RPC. > {quote} > Also like HADOOP-7119, the same solution: > A servlet filter is configured in front of all Hadoop web consoles for > authentication. > This filter verifies if the incoming request is already authenticated by the > presence of a signed HTTP cookie. If the cookie is present, its signature is > valid and its value didn't expire; then the request continues its way to the > page invoked by the request. If the cookie is not present, it is invalid or > it expired; then the request is delegated to an authenticator handler. The > authenticator handler then is responsible for requesting/validating the > user-agent for the user credentials. This may require one or more additional > interactions between the authenticator handler and the user-agent (which will > be multiple HTTP requests). Once the authenticator handler verifies the > credentials and generates an authentication token, a signed cookie is > returned to the user-agent for all subsequent invocations. > The authenticator handler is pluggable and 2 implementations are provided out > of the box: pseudo/simple and kerberos. > 1. The pseudo/simple authenticator handler is equivalent to the Hadoop > pseudo/simple authentication. It trusts the value of the user.name query > string parameter. The pseudo/simple authenticator handler supports an > anonymous mode which accepts any request without requiring the user.name > query string parameter to create the token. This is the default behavior, > preserving the behavior of the HBase web consoles before this patch. > 2. The kerberos authenticator handler implements the Kerberos HTTP SPNEGO > implementation. This authenticator handler will generate a token only if a > successful Kerberos HTTP SPNEGO interaction is performed between the > user-agent and the authenticator. Browsers like Firefox and Internet Explorer > support Kerberos HTTP SPNEGO. > We can build on the support added to Hadoop via HADOOP-7119. Should just be a > matter of wiring up the filter to our infoservers in a similar manner. > And from > https://issues.apache.org/jira/browse/HBASE-5050?focusedCommentId=13171086=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13171086 > {quote} > Hadoop 0.23 onwards has a hadoop-auth artifact that provides SPNEGO/Kerberos > authentication for webapps via a filter. You should consider using it. You > don't have to move Hbase to 0.23 for that, just consume the hadoop-auth > artifact, which has no dependencies on the rest of Hadoop 0.23 artifacts. > {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-5291) Add Kerberos HTTP SPNEGO authentication support to HBase web consoles
[ https://issues.apache.org/jira/browse/HBASE-5291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15334944#comment-15334944 ] Gary Helmling commented on HBASE-5291: -- I see the config property issue was fixed with the addendum patch. Was that committed to both master and branch-1? > Add Kerberos HTTP SPNEGO authentication support to HBase web consoles > - > > Key: HBASE-5291 > URL: https://issues.apache.org/jira/browse/HBASE-5291 > Project: HBase > Issue Type: Improvement > Components: master, regionserver, security >Reporter: Andrew Purtell >Assignee: Josh Elser > Fix For: 2.0.0, 1.4.0 > > Attachments: HBASE-5291-addendum.patch, HBASE-5291.001.patch, > HBASE-5291.002.patch, HBASE-5291.003.patch, HBASE-5291.004.patch, > HBASE-5291.005-0.98.patch, HBASE-5291.005-branch-1.patch, HBASE-5291.005.patch > > > Like HADOOP-7119, the same motivations: > {quote} > Hadoop RPC already supports Kerberos authentication. > {quote} > As does the HBase secure RPC engine. > {quote} > Kerberos enables single sign-on. > Popular browsers (Firefox and Internet Explorer) have support for Kerberos > HTTP SPNEGO. > Adding support for Kerberos HTTP SPNEGO to [HBase] web consoles would provide > a unified authentication mechanism and single sign-on for web UI and RPC. > {quote} > Also like HADOOP-7119, the same solution: > A servlet filter is configured in front of all Hadoop web consoles for > authentication. > This filter verifies if the incoming request is already authenticated by the > presence of a signed HTTP cookie. If the cookie is present, its signature is > valid and its value didn't expire; then the request continues its way to the > page invoked by the request. If the cookie is not present, it is invalid or > it expired; then the request is delegated to an authenticator handler. The > authenticator handler then is responsible for requesting/validating the > user-agent for the user credentials. This may require one or more additional > interactions between the authenticator handler and the user-agent (which will > be multiple HTTP requests). Once the authenticator handler verifies the > credentials and generates an authentication token, a signed cookie is > returned to the user-agent for all subsequent invocations. > The authenticator handler is pluggable and 2 implementations are provided out > of the box: pseudo/simple and kerberos. > 1. The pseudo/simple authenticator handler is equivalent to the Hadoop > pseudo/simple authentication. It trusts the value of the user.name query > string parameter. The pseudo/simple authenticator handler supports an > anonymous mode which accepts any request without requiring the user.name > query string parameter to create the token. This is the default behavior, > preserving the behavior of the HBase web consoles before this patch. > 2. The kerberos authenticator handler implements the Kerberos HTTP SPNEGO > implementation. This authenticator handler will generate a token only if a > successful Kerberos HTTP SPNEGO interaction is performed between the > user-agent and the authenticator. Browsers like Firefox and Internet Explorer > support Kerberos HTTP SPNEGO. > We can build on the support added to Hadoop via HADOOP-7119. Should just be a > matter of wiring up the filter to our infoservers in a similar manner. > And from > https://issues.apache.org/jira/browse/HBASE-5050?focusedCommentId=13171086=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13171086 > {quote} > Hadoop 0.23 onwards has a hadoop-auth artifact that provides SPNEGO/Kerberos > authentication for webapps via a filter. You should consider using it. You > don't have to move Hbase to 0.23 for that, just consume the hadoop-auth > artifact, which has no dependencies on the rest of Hadoop 0.23 artifacts. > {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-5291) Add Kerberos HTTP SPNEGO authentication support to HBase web consoles
[ https://issues.apache.org/jira/browse/HBASE-5291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15334942#comment-15334942 ] Gary Helmling commented on HBASE-5291: -- Overall this looks good, but I see a couple of issues. I think there's an issue in the config parameters used here: {code} static final String HTTP_AUTHENTICATION_PREFIX = "hbase.security.authentication.spnego."; static final String HTTP_SPNEGO_AUTHENTICATION_PREFIX = HTTP_AUTHENTICATION_PREFIX + "spnego."; {code} I'm guessing the "spnego." suffix should not be present on HTTP_AUTHENTICATION_PREFIX. As is, the documented config properties (thanks for the docs!) will not work. In HttpServerFunctionalTest.deleteRecursively(): {code} deleteRecursively(d); {code} should be: {code} deleteRecursively(child); {code} It doesn't look like you have sub directories where this is called in the tests though. > Add Kerberos HTTP SPNEGO authentication support to HBase web consoles > - > > Key: HBASE-5291 > URL: https://issues.apache.org/jira/browse/HBASE-5291 > Project: HBase > Issue Type: Improvement > Components: master, regionserver, security >Reporter: Andrew Purtell >Assignee: Josh Elser > Fix For: 2.0.0, 1.4.0 > > Attachments: HBASE-5291-addendum.patch, HBASE-5291.001.patch, > HBASE-5291.002.patch, HBASE-5291.003.patch, HBASE-5291.004.patch, > HBASE-5291.005-0.98.patch, HBASE-5291.005-branch-1.patch, HBASE-5291.005.patch > > > Like HADOOP-7119, the same motivations: > {quote} > Hadoop RPC already supports Kerberos authentication. > {quote} > As does the HBase secure RPC engine. > {quote} > Kerberos enables single sign-on. > Popular browsers (Firefox and Internet Explorer) have support for Kerberos > HTTP SPNEGO. > Adding support for Kerberos HTTP SPNEGO to [HBase] web consoles would provide > a unified authentication mechanism and single sign-on for web UI and RPC. > {quote} > Also like HADOOP-7119, the same solution: > A servlet filter is configured in front of all Hadoop web consoles for > authentication. > This filter verifies if the incoming request is already authenticated by the > presence of a signed HTTP cookie. If the cookie is present, its signature is > valid and its value didn't expire; then the request continues its way to the > page invoked by the request. If the cookie is not present, it is invalid or > it expired; then the request is delegated to an authenticator handler. The > authenticator handler then is responsible for requesting/validating the > user-agent for the user credentials. This may require one or more additional > interactions between the authenticator handler and the user-agent (which will > be multiple HTTP requests). Once the authenticator handler verifies the > credentials and generates an authentication token, a signed cookie is > returned to the user-agent for all subsequent invocations. > The authenticator handler is pluggable and 2 implementations are provided out > of the box: pseudo/simple and kerberos. > 1. The pseudo/simple authenticator handler is equivalent to the Hadoop > pseudo/simple authentication. It trusts the value of the user.name query > string parameter. The pseudo/simple authenticator handler supports an > anonymous mode which accepts any request without requiring the user.name > query string parameter to create the token. This is the default behavior, > preserving the behavior of the HBase web consoles before this patch. > 2. The kerberos authenticator handler implements the Kerberos HTTP SPNEGO > implementation. This authenticator handler will generate a token only if a > successful Kerberos HTTP SPNEGO interaction is performed between the > user-agent and the authenticator. Browsers like Firefox and Internet Explorer > support Kerberos HTTP SPNEGO. > We can build on the support added to Hadoop via HADOOP-7119. Should just be a > matter of wiring up the filter to our infoservers in a similar manner. > And from > https://issues.apache.org/jira/browse/HBASE-5050?focusedCommentId=13171086=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13171086 > {quote} > Hadoop 0.23 onwards has a hadoop-auth artifact that provides SPNEGO/Kerberos > authentication for webapps via a filter. You should consider using it. You > don't have to move Hbase to 0.23 for that, just consume the hadoop-auth > artifact, which has no dependencies on the rest of Hadoop 0.23 artifacts. > {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-5291) Add Kerberos HTTP SPNEGO authentication support to HBase web consoles
[ https://issues.apache.org/jira/browse/HBASE-5291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15333796#comment-15333796 ] Josh Elser commented on HBASE-5291: --- Alright, going to make an administrative decision. branch-1 and master are both great, so I'm going to resolve this. I'll open up a sub-task to pursue the 0.98 port as I think it's going to require some extra effort. > Add Kerberos HTTP SPNEGO authentication support to HBase web consoles > - > > Key: HBASE-5291 > URL: https://issues.apache.org/jira/browse/HBASE-5291 > Project: HBase > Issue Type: Improvement > Components: master, regionserver, security >Reporter: Andrew Purtell >Assignee: Josh Elser > Fix For: 2.0.0, 1.4.0 > > Attachments: HBASE-5291-addendum.patch, HBASE-5291.001.patch, > HBASE-5291.002.patch, HBASE-5291.003.patch, HBASE-5291.004.patch, > HBASE-5291.005-0.98.patch, HBASE-5291.005-branch-1.patch, HBASE-5291.005.patch > > > Like HADOOP-7119, the same motivations: > {quote} > Hadoop RPC already supports Kerberos authentication. > {quote} > As does the HBase secure RPC engine. > {quote} > Kerberos enables single sign-on. > Popular browsers (Firefox and Internet Explorer) have support for Kerberos > HTTP SPNEGO. > Adding support for Kerberos HTTP SPNEGO to [HBase] web consoles would provide > a unified authentication mechanism and single sign-on for web UI and RPC. > {quote} > Also like HADOOP-7119, the same solution: > A servlet filter is configured in front of all Hadoop web consoles for > authentication. > This filter verifies if the incoming request is already authenticated by the > presence of a signed HTTP cookie. If the cookie is present, its signature is > valid and its value didn't expire; then the request continues its way to the > page invoked by the request. If the cookie is not present, it is invalid or > it expired; then the request is delegated to an authenticator handler. The > authenticator handler then is responsible for requesting/validating the > user-agent for the user credentials. This may require one or more additional > interactions between the authenticator handler and the user-agent (which will > be multiple HTTP requests). Once the authenticator handler verifies the > credentials and generates an authentication token, a signed cookie is > returned to the user-agent for all subsequent invocations. > The authenticator handler is pluggable and 2 implementations are provided out > of the box: pseudo/simple and kerberos. > 1. The pseudo/simple authenticator handler is equivalent to the Hadoop > pseudo/simple authentication. It trusts the value of the user.name query > string parameter. The pseudo/simple authenticator handler supports an > anonymous mode which accepts any request without requiring the user.name > query string parameter to create the token. This is the default behavior, > preserving the behavior of the HBase web consoles before this patch. > 2. The kerberos authenticator handler implements the Kerberos HTTP SPNEGO > implementation. This authenticator handler will generate a token only if a > successful Kerberos HTTP SPNEGO interaction is performed between the > user-agent and the authenticator. Browsers like Firefox and Internet Explorer > support Kerberos HTTP SPNEGO. > We can build on the support added to Hadoop via HADOOP-7119. Should just be a > matter of wiring up the filter to our infoservers in a similar manner. > And from > https://issues.apache.org/jira/browse/HBASE-5050?focusedCommentId=13171086=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13171086 > {quote} > Hadoop 0.23 onwards has a hadoop-auth artifact that provides SPNEGO/Kerberos > authentication for webapps via a filter. You should consider using it. You > don't have to move Hbase to 0.23 for that, just consume the hadoop-auth > artifact, which has no dependencies on the rest of Hadoop 0.23 artifacts. > {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-5291) Add Kerberos HTTP SPNEGO authentication support to HBase web consoles
[ https://issues.apache.org/jira/browse/HBASE-5291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15333783#comment-15333783 ] Josh Elser commented on HBASE-5291: --- bq. I'd like to pin and stabilize 1.3 now, so since it's not a bug and not critical, I'd say let's leave it to 1.4.. No worries! You're the boss for 1.3. That's fine by me. > Add Kerberos HTTP SPNEGO authentication support to HBase web consoles > - > > Key: HBASE-5291 > URL: https://issues.apache.org/jira/browse/HBASE-5291 > Project: HBase > Issue Type: Improvement > Components: master, regionserver, security >Reporter: Andrew Purtell >Assignee: Josh Elser > Fix For: 2.0.0, 1.4.0, 0.98.21 > > Attachments: HBASE-5291-addendum.patch, HBASE-5291.001.patch, > HBASE-5291.002.patch, HBASE-5291.003.patch, HBASE-5291.004.patch, > HBASE-5291.005-0.98.patch, HBASE-5291.005-branch-1.patch, HBASE-5291.005.patch > > > Like HADOOP-7119, the same motivations: > {quote} > Hadoop RPC already supports Kerberos authentication. > {quote} > As does the HBase secure RPC engine. > {quote} > Kerberos enables single sign-on. > Popular browsers (Firefox and Internet Explorer) have support for Kerberos > HTTP SPNEGO. > Adding support for Kerberos HTTP SPNEGO to [HBase] web consoles would provide > a unified authentication mechanism and single sign-on for web UI and RPC. > {quote} > Also like HADOOP-7119, the same solution: > A servlet filter is configured in front of all Hadoop web consoles for > authentication. > This filter verifies if the incoming request is already authenticated by the > presence of a signed HTTP cookie. If the cookie is present, its signature is > valid and its value didn't expire; then the request continues its way to the > page invoked by the request. If the cookie is not present, it is invalid or > it expired; then the request is delegated to an authenticator handler. The > authenticator handler then is responsible for requesting/validating the > user-agent for the user credentials. This may require one or more additional > interactions between the authenticator handler and the user-agent (which will > be multiple HTTP requests). Once the authenticator handler verifies the > credentials and generates an authentication token, a signed cookie is > returned to the user-agent for all subsequent invocations. > The authenticator handler is pluggable and 2 implementations are provided out > of the box: pseudo/simple and kerberos. > 1. The pseudo/simple authenticator handler is equivalent to the Hadoop > pseudo/simple authentication. It trusts the value of the user.name query > string parameter. The pseudo/simple authenticator handler supports an > anonymous mode which accepts any request without requiring the user.name > query string parameter to create the token. This is the default behavior, > preserving the behavior of the HBase web consoles before this patch. > 2. The kerberos authenticator handler implements the Kerberos HTTP SPNEGO > implementation. This authenticator handler will generate a token only if a > successful Kerberos HTTP SPNEGO interaction is performed between the > user-agent and the authenticator. Browsers like Firefox and Internet Explorer > support Kerberos HTTP SPNEGO. > We can build on the support added to Hadoop via HADOOP-7119. Should just be a > matter of wiring up the filter to our infoservers in a similar manner. > And from > https://issues.apache.org/jira/browse/HBASE-5050?focusedCommentId=13171086=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13171086 > {quote} > Hadoop 0.23 onwards has a hadoop-auth artifact that provides SPNEGO/Kerberos > authentication for webapps via a filter. You should consider using it. You > don't have to move Hbase to 0.23 for that, just consume the hadoop-auth > artifact, which has no dependencies on the rest of Hadoop 0.23 artifacts. > {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-5291) Add Kerberos HTTP SPNEGO authentication support to HBase web consoles
[ https://issues.apache.org/jira/browse/HBASE-5291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15333423#comment-15333423 ] Mikhail Antonov commented on HBASE-5291: I'd like to pin and stabilize 1.3 now, so since it's not a bug and not critical, I'd say let's leave it to 1.4.. > Add Kerberos HTTP SPNEGO authentication support to HBase web consoles > - > > Key: HBASE-5291 > URL: https://issues.apache.org/jira/browse/HBASE-5291 > Project: HBase > Issue Type: Improvement > Components: master, regionserver, security >Reporter: Andrew Purtell >Assignee: Josh Elser > Fix For: 2.0.0, 1.4.0, 0.98.21 > > Attachments: HBASE-5291-addendum.patch, HBASE-5291.001.patch, > HBASE-5291.002.patch, HBASE-5291.003.patch, HBASE-5291.004.patch, > HBASE-5291.005-0.98.patch, HBASE-5291.005-branch-1.patch, HBASE-5291.005.patch > > > Like HADOOP-7119, the same motivations: > {quote} > Hadoop RPC already supports Kerberos authentication. > {quote} > As does the HBase secure RPC engine. > {quote} > Kerberos enables single sign-on. > Popular browsers (Firefox and Internet Explorer) have support for Kerberos > HTTP SPNEGO. > Adding support for Kerberos HTTP SPNEGO to [HBase] web consoles would provide > a unified authentication mechanism and single sign-on for web UI and RPC. > {quote} > Also like HADOOP-7119, the same solution: > A servlet filter is configured in front of all Hadoop web consoles for > authentication. > This filter verifies if the incoming request is already authenticated by the > presence of a signed HTTP cookie. If the cookie is present, its signature is > valid and its value didn't expire; then the request continues its way to the > page invoked by the request. If the cookie is not present, it is invalid or > it expired; then the request is delegated to an authenticator handler. The > authenticator handler then is responsible for requesting/validating the > user-agent for the user credentials. This may require one or more additional > interactions between the authenticator handler and the user-agent (which will > be multiple HTTP requests). Once the authenticator handler verifies the > credentials and generates an authentication token, a signed cookie is > returned to the user-agent for all subsequent invocations. > The authenticator handler is pluggable and 2 implementations are provided out > of the box: pseudo/simple and kerberos. > 1. The pseudo/simple authenticator handler is equivalent to the Hadoop > pseudo/simple authentication. It trusts the value of the user.name query > string parameter. The pseudo/simple authenticator handler supports an > anonymous mode which accepts any request without requiring the user.name > query string parameter to create the token. This is the default behavior, > preserving the behavior of the HBase web consoles before this patch. > 2. The kerberos authenticator handler implements the Kerberos HTTP SPNEGO > implementation. This authenticator handler will generate a token only if a > successful Kerberos HTTP SPNEGO interaction is performed between the > user-agent and the authenticator. Browsers like Firefox and Internet Explorer > support Kerberos HTTP SPNEGO. > We can build on the support added to Hadoop via HADOOP-7119. Should just be a > matter of wiring up the filter to our infoservers in a similar manner. > And from > https://issues.apache.org/jira/browse/HBASE-5050?focusedCommentId=13171086=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13171086 > {quote} > Hadoop 0.23 onwards has a hadoop-auth artifact that provides SPNEGO/Kerberos > authentication for webapps via a filter. You should consider using it. You > don't have to move Hbase to 0.23 for that, just consume the hadoop-auth > artifact, which has no dependencies on the rest of Hadoop 0.23 artifacts. > {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-5291) Add Kerberos HTTP SPNEGO authentication support to HBase web consoles
[ https://issues.apache.org/jira/browse/HBASE-5291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15332984#comment-15332984 ] Hudson commented on HBASE-5291: --- FAILURE: Integrated in HBase-Trunk_matrix #1055 (See [https://builds.apache.org/job/HBase-Trunk_matrix/1055/]) HBASE-5291 Addendum removes duplicate spnego (Josh Elser) (tedyu: rev 1bad166f677ef565607c1f9660114a7a55c27b7b) * hbase-server/src/main/java/org/apache/hadoop/hbase/http/HttpServer.java > Add Kerberos HTTP SPNEGO authentication support to HBase web consoles > - > > Key: HBASE-5291 > URL: https://issues.apache.org/jira/browse/HBASE-5291 > Project: HBase > Issue Type: Improvement > Components: master, regionserver, security >Reporter: Andrew Purtell >Assignee: Josh Elser > Fix For: 2.0.0, 1.4.0, 0.98.21 > > Attachments: HBASE-5291-addendum.patch, HBASE-5291.001.patch, > HBASE-5291.002.patch, HBASE-5291.003.patch, HBASE-5291.004.patch, > HBASE-5291.005-0.98.patch, HBASE-5291.005-branch-1.patch, HBASE-5291.005.patch > > > Like HADOOP-7119, the same motivations: > {quote} > Hadoop RPC already supports Kerberos authentication. > {quote} > As does the HBase secure RPC engine. > {quote} > Kerberos enables single sign-on. > Popular browsers (Firefox and Internet Explorer) have support for Kerberos > HTTP SPNEGO. > Adding support for Kerberos HTTP SPNEGO to [HBase] web consoles would provide > a unified authentication mechanism and single sign-on for web UI and RPC. > {quote} > Also like HADOOP-7119, the same solution: > A servlet filter is configured in front of all Hadoop web consoles for > authentication. > This filter verifies if the incoming request is already authenticated by the > presence of a signed HTTP cookie. If the cookie is present, its signature is > valid and its value didn't expire; then the request continues its way to the > page invoked by the request. If the cookie is not present, it is invalid or > it expired; then the request is delegated to an authenticator handler. The > authenticator handler then is responsible for requesting/validating the > user-agent for the user credentials. This may require one or more additional > interactions between the authenticator handler and the user-agent (which will > be multiple HTTP requests). Once the authenticator handler verifies the > credentials and generates an authentication token, a signed cookie is > returned to the user-agent for all subsequent invocations. > The authenticator handler is pluggable and 2 implementations are provided out > of the box: pseudo/simple and kerberos. > 1. The pseudo/simple authenticator handler is equivalent to the Hadoop > pseudo/simple authentication. It trusts the value of the user.name query > string parameter. The pseudo/simple authenticator handler supports an > anonymous mode which accepts any request without requiring the user.name > query string parameter to create the token. This is the default behavior, > preserving the behavior of the HBase web consoles before this patch. > 2. The kerberos authenticator handler implements the Kerberos HTTP SPNEGO > implementation. This authenticator handler will generate a token only if a > successful Kerberos HTTP SPNEGO interaction is performed between the > user-agent and the authenticator. Browsers like Firefox and Internet Explorer > support Kerberos HTTP SPNEGO. > We can build on the support added to Hadoop via HADOOP-7119. Should just be a > matter of wiring up the filter to our infoservers in a similar manner. > And from > https://issues.apache.org/jira/browse/HBASE-5050?focusedCommentId=13171086=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13171086 > {quote} > Hadoop 0.23 onwards has a hadoop-auth artifact that provides SPNEGO/Kerberos > authentication for webapps via a filter. You should consider using it. You > don't have to move Hbase to 0.23 for that, just consume the hadoop-auth > artifact, which has no dependencies on the rest of Hadoop 0.23 artifacts. > {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-5291) Add Kerberos HTTP SPNEGO authentication support to HBase web consoles
[ https://issues.apache.org/jira/browse/HBASE-5291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15332803#comment-15332803 ] Josh Elser commented on HBASE-5291: --- Turns out, *something* is weird with the secret.signature.file in 0.98, but I haven't been able to track down what. If I set a file (used to sign the cookies, IIRC), everything works great. If I don't, none of the static resources can be loaded (KDC thinks its a replay attack). I did double check this in master: the file can be provided or not; things work fine either way. I'm guessing there must be something different between the version of HttpServer that was copied into newer versions of HBase and the one we're using directly from Hadoop in 0.98. I haven't been able to figure out what it is yet. I am half-inclined to just make the signature.secret.file a required property and move on, but we'll see if curiosity still gets the best of me... > Add Kerberos HTTP SPNEGO authentication support to HBase web consoles > - > > Key: HBASE-5291 > URL: https://issues.apache.org/jira/browse/HBASE-5291 > Project: HBase > Issue Type: Improvement > Components: master, regionserver, security >Reporter: Andrew Purtell >Assignee: Josh Elser > Fix For: 2.0.0, 1.4.0, 0.98.21 > > Attachments: HBASE-5291-addendum.patch, HBASE-5291.001.patch, > HBASE-5291.002.patch, HBASE-5291.003.patch, HBASE-5291.004.patch, > HBASE-5291.005-0.98.patch, HBASE-5291.005-branch-1.patch, HBASE-5291.005.patch > > > Like HADOOP-7119, the same motivations: > {quote} > Hadoop RPC already supports Kerberos authentication. > {quote} > As does the HBase secure RPC engine. > {quote} > Kerberos enables single sign-on. > Popular browsers (Firefox and Internet Explorer) have support for Kerberos > HTTP SPNEGO. > Adding support for Kerberos HTTP SPNEGO to [HBase] web consoles would provide > a unified authentication mechanism and single sign-on for web UI and RPC. > {quote} > Also like HADOOP-7119, the same solution: > A servlet filter is configured in front of all Hadoop web consoles for > authentication. > This filter verifies if the incoming request is already authenticated by the > presence of a signed HTTP cookie. If the cookie is present, its signature is > valid and its value didn't expire; then the request continues its way to the > page invoked by the request. If the cookie is not present, it is invalid or > it expired; then the request is delegated to an authenticator handler. The > authenticator handler then is responsible for requesting/validating the > user-agent for the user credentials. This may require one or more additional > interactions between the authenticator handler and the user-agent (which will > be multiple HTTP requests). Once the authenticator handler verifies the > credentials and generates an authentication token, a signed cookie is > returned to the user-agent for all subsequent invocations. > The authenticator handler is pluggable and 2 implementations are provided out > of the box: pseudo/simple and kerberos. > 1. The pseudo/simple authenticator handler is equivalent to the Hadoop > pseudo/simple authentication. It trusts the value of the user.name query > string parameter. The pseudo/simple authenticator handler supports an > anonymous mode which accepts any request without requiring the user.name > query string parameter to create the token. This is the default behavior, > preserving the behavior of the HBase web consoles before this patch. > 2. The kerberos authenticator handler implements the Kerberos HTTP SPNEGO > implementation. This authenticator handler will generate a token only if a > successful Kerberos HTTP SPNEGO interaction is performed between the > user-agent and the authenticator. Browsers like Firefox and Internet Explorer > support Kerberos HTTP SPNEGO. > We can build on the support added to Hadoop via HADOOP-7119. Should just be a > matter of wiring up the filter to our infoservers in a similar manner. > And from > https://issues.apache.org/jira/browse/HBASE-5050?focusedCommentId=13171086=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13171086 > {quote} > Hadoop 0.23 onwards has a hadoop-auth artifact that provides SPNEGO/Kerberos > authentication for webapps via a filter. You should consider using it. You > don't have to move Hbase to 0.23 for that, just consume the hadoop-auth > artifact, which has no dependencies on the rest of Hadoop 0.23 artifacts. > {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-5291) Add Kerberos HTTP SPNEGO authentication support to HBase web consoles
[ https://issues.apache.org/jira/browse/HBASE-5291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15332745#comment-15332745 ] Hudson commented on HBASE-5291: --- SUCCESS: Integrated in HBase-1.4 #216 (See [https://builds.apache.org/job/HBase-1.4/216/]) HBASE-5291 Add Kerberos HTTP SPNEGO authentication support to HBase web (tedyu: rev e417cf6b24ddcb1676b7270ca0416472a17825cf) * hbase-server/src/test/java/org/apache/hadoop/hbase/http/TestSpnegoHttpServer.java * pom.xml * hbase-server/pom.xml * hbase-server/src/main/java/org/apache/hadoop/hbase/http/HttpServer.java * hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/HRegionServer.java * hbase-server/src/main/java/org/apache/hadoop/hbase/http/InfoServer.java * hbase-server/src/test/java/org/apache/hadoop/hbase/http/HttpServerFunctionalTest.java * src/main/asciidoc/_chapters/security.adoc > Add Kerberos HTTP SPNEGO authentication support to HBase web consoles > - > > Key: HBASE-5291 > URL: https://issues.apache.org/jira/browse/HBASE-5291 > Project: HBase > Issue Type: Improvement > Components: master, regionserver, security >Reporter: Andrew Purtell >Assignee: Josh Elser > Fix For: 2.0.0, 1.4.0, 0.98.21 > > Attachments: HBASE-5291-addendum.patch, HBASE-5291.001.patch, > HBASE-5291.002.patch, HBASE-5291.003.patch, HBASE-5291.004.patch, > HBASE-5291.005-0.98.patch, HBASE-5291.005-branch-1.patch, HBASE-5291.005.patch > > > Like HADOOP-7119, the same motivations: > {quote} > Hadoop RPC already supports Kerberos authentication. > {quote} > As does the HBase secure RPC engine. > {quote} > Kerberos enables single sign-on. > Popular browsers (Firefox and Internet Explorer) have support for Kerberos > HTTP SPNEGO. > Adding support for Kerberos HTTP SPNEGO to [HBase] web consoles would provide > a unified authentication mechanism and single sign-on for web UI and RPC. > {quote} > Also like HADOOP-7119, the same solution: > A servlet filter is configured in front of all Hadoop web consoles for > authentication. > This filter verifies if the incoming request is already authenticated by the > presence of a signed HTTP cookie. If the cookie is present, its signature is > valid and its value didn't expire; then the request continues its way to the > page invoked by the request. If the cookie is not present, it is invalid or > it expired; then the request is delegated to an authenticator handler. The > authenticator handler then is responsible for requesting/validating the > user-agent for the user credentials. This may require one or more additional > interactions between the authenticator handler and the user-agent (which will > be multiple HTTP requests). Once the authenticator handler verifies the > credentials and generates an authentication token, a signed cookie is > returned to the user-agent for all subsequent invocations. > The authenticator handler is pluggable and 2 implementations are provided out > of the box: pseudo/simple and kerberos. > 1. The pseudo/simple authenticator handler is equivalent to the Hadoop > pseudo/simple authentication. It trusts the value of the user.name query > string parameter. The pseudo/simple authenticator handler supports an > anonymous mode which accepts any request without requiring the user.name > query string parameter to create the token. This is the default behavior, > preserving the behavior of the HBase web consoles before this patch. > 2. The kerberos authenticator handler implements the Kerberos HTTP SPNEGO > implementation. This authenticator handler will generate a token only if a > successful Kerberos HTTP SPNEGO interaction is performed between the > user-agent and the authenticator. Browsers like Firefox and Internet Explorer > support Kerberos HTTP SPNEGO. > We can build on the support added to Hadoop via HADOOP-7119. Should just be a > matter of wiring up the filter to our infoservers in a similar manner. > And from > https://issues.apache.org/jira/browse/HBASE-5050?focusedCommentId=13171086=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13171086 > {quote} > Hadoop 0.23 onwards has a hadoop-auth artifact that provides SPNEGO/Kerberos > authentication for webapps via a filter. You should consider using it. You > don't have to move Hbase to 0.23 for that, just consume the hadoop-auth > artifact, which has no dependencies on the rest of Hadoop 0.23 artifacts. > {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-5291) Add Kerberos HTTP SPNEGO authentication support to HBase web consoles
[ https://issues.apache.org/jira/browse/HBASE-5291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15332716#comment-15332716 ] Josh Elser commented on HBASE-5291: --- Looks like 0.98 continues to be a headache. The static resources aren't being returned when I have SPNEGO enabled (the site will render the JSP's, but no styles are present). Still working on it.. > Add Kerberos HTTP SPNEGO authentication support to HBase web consoles > - > > Key: HBASE-5291 > URL: https://issues.apache.org/jira/browse/HBASE-5291 > Project: HBase > Issue Type: Improvement > Components: master, regionserver, security >Reporter: Andrew Purtell >Assignee: Josh Elser > Fix For: 2.0.0, 1.4.0, 0.98.21 > > Attachments: HBASE-5291-addendum.patch, HBASE-5291.001.patch, > HBASE-5291.002.patch, HBASE-5291.003.patch, HBASE-5291.004.patch, > HBASE-5291.005-0.98.patch, HBASE-5291.005-branch-1.patch, HBASE-5291.005.patch > > > Like HADOOP-7119, the same motivations: > {quote} > Hadoop RPC already supports Kerberos authentication. > {quote} > As does the HBase secure RPC engine. > {quote} > Kerberos enables single sign-on. > Popular browsers (Firefox and Internet Explorer) have support for Kerberos > HTTP SPNEGO. > Adding support for Kerberos HTTP SPNEGO to [HBase] web consoles would provide > a unified authentication mechanism and single sign-on for web UI and RPC. > {quote} > Also like HADOOP-7119, the same solution: > A servlet filter is configured in front of all Hadoop web consoles for > authentication. > This filter verifies if the incoming request is already authenticated by the > presence of a signed HTTP cookie. If the cookie is present, its signature is > valid and its value didn't expire; then the request continues its way to the > page invoked by the request. If the cookie is not present, it is invalid or > it expired; then the request is delegated to an authenticator handler. The > authenticator handler then is responsible for requesting/validating the > user-agent for the user credentials. This may require one or more additional > interactions between the authenticator handler and the user-agent (which will > be multiple HTTP requests). Once the authenticator handler verifies the > credentials and generates an authentication token, a signed cookie is > returned to the user-agent for all subsequent invocations. > The authenticator handler is pluggable and 2 implementations are provided out > of the box: pseudo/simple and kerberos. > 1. The pseudo/simple authenticator handler is equivalent to the Hadoop > pseudo/simple authentication. It trusts the value of the user.name query > string parameter. The pseudo/simple authenticator handler supports an > anonymous mode which accepts any request without requiring the user.name > query string parameter to create the token. This is the default behavior, > preserving the behavior of the HBase web consoles before this patch. > 2. The kerberos authenticator handler implements the Kerberos HTTP SPNEGO > implementation. This authenticator handler will generate a token only if a > successful Kerberos HTTP SPNEGO interaction is performed between the > user-agent and the authenticator. Browsers like Firefox and Internet Explorer > support Kerberos HTTP SPNEGO. > We can build on the support added to Hadoop via HADOOP-7119. Should just be a > matter of wiring up the filter to our infoservers in a similar manner. > And from > https://issues.apache.org/jira/browse/HBASE-5050?focusedCommentId=13171086=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13171086 > {quote} > Hadoop 0.23 onwards has a hadoop-auth artifact that provides SPNEGO/Kerberos > authentication for webapps via a filter. You should consider using it. You > don't have to move Hbase to 0.23 for that, just consume the hadoop-auth > artifact, which has no dependencies on the rest of Hadoop 0.23 artifacts. > {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-5291) Add Kerberos HTTP SPNEGO authentication support to HBase web consoles
[ https://issues.apache.org/jira/browse/HBASE-5291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15332591#comment-15332591 ] Josh Elser commented on HBASE-5291: --- Ack, rolling a .006. Looks like I botched the config property (ended up with duplicate "spnego") when implementing Kai's feedback. > Add Kerberos HTTP SPNEGO authentication support to HBase web consoles > - > > Key: HBASE-5291 > URL: https://issues.apache.org/jira/browse/HBASE-5291 > Project: HBase > Issue Type: Improvement > Components: master, regionserver, security >Reporter: Andrew Purtell >Assignee: Josh Elser > Fix For: 2.0.0, 1.4.0, 0.98.21 > > Attachments: HBASE-5291.001.patch, HBASE-5291.002.patch, > HBASE-5291.003.patch, HBASE-5291.004.patch, HBASE-5291.005-0.98.patch, > HBASE-5291.005-branch-1.patch, HBASE-5291.005.patch > > > Like HADOOP-7119, the same motivations: > {quote} > Hadoop RPC already supports Kerberos authentication. > {quote} > As does the HBase secure RPC engine. > {quote} > Kerberos enables single sign-on. > Popular browsers (Firefox and Internet Explorer) have support for Kerberos > HTTP SPNEGO. > Adding support for Kerberos HTTP SPNEGO to [HBase] web consoles would provide > a unified authentication mechanism and single sign-on for web UI and RPC. > {quote} > Also like HADOOP-7119, the same solution: > A servlet filter is configured in front of all Hadoop web consoles for > authentication. > This filter verifies if the incoming request is already authenticated by the > presence of a signed HTTP cookie. If the cookie is present, its signature is > valid and its value didn't expire; then the request continues its way to the > page invoked by the request. If the cookie is not present, it is invalid or > it expired; then the request is delegated to an authenticator handler. The > authenticator handler then is responsible for requesting/validating the > user-agent for the user credentials. This may require one or more additional > interactions between the authenticator handler and the user-agent (which will > be multiple HTTP requests). Once the authenticator handler verifies the > credentials and generates an authentication token, a signed cookie is > returned to the user-agent for all subsequent invocations. > The authenticator handler is pluggable and 2 implementations are provided out > of the box: pseudo/simple and kerberos. > 1. The pseudo/simple authenticator handler is equivalent to the Hadoop > pseudo/simple authentication. It trusts the value of the user.name query > string parameter. The pseudo/simple authenticator handler supports an > anonymous mode which accepts any request without requiring the user.name > query string parameter to create the token. This is the default behavior, > preserving the behavior of the HBase web consoles before this patch. > 2. The kerberos authenticator handler implements the Kerberos HTTP SPNEGO > implementation. This authenticator handler will generate a token only if a > successful Kerberos HTTP SPNEGO interaction is performed between the > user-agent and the authenticator. Browsers like Firefox and Internet Explorer > support Kerberos HTTP SPNEGO. > We can build on the support added to Hadoop via HADOOP-7119. Should just be a > matter of wiring up the filter to our infoservers in a similar manner. > And from > https://issues.apache.org/jira/browse/HBASE-5050?focusedCommentId=13171086=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13171086 > {quote} > Hadoop 0.23 onwards has a hadoop-auth artifact that provides SPNEGO/Kerberos > authentication for webapps via a filter. You should consider using it. You > don't have to move Hbase to 0.23 for that, just consume the hadoop-auth > artifact, which has no dependencies on the rest of Hadoop 0.23 artifacts. > {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-5291) Add Kerberos HTTP SPNEGO authentication support to HBase web consoles
[ https://issues.apache.org/jira/browse/HBASE-5291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15332496#comment-15332496 ] Josh Elser commented on HBASE-5291: --- bq. Skimmed the patch, looks good to me. Did you test it with real cluster as well? Thanks for looking. Apparently I forgot to mention: yes, I did test this locally (Hadoop 2.7.1 and MIT Kerberos). Was able to verify Chrome could access the UI when I had a valid ticket and could not when I didn't. > Add Kerberos HTTP SPNEGO authentication support to HBase web consoles > - > > Key: HBASE-5291 > URL: https://issues.apache.org/jira/browse/HBASE-5291 > Project: HBase > Issue Type: Improvement > Components: master, regionserver, security >Reporter: Andrew Purtell >Assignee: Josh Elser > Fix For: 2.0.0, 1.4.0, 0.98.21 > > Attachments: HBASE-5291.001.patch, HBASE-5291.002.patch, > HBASE-5291.003.patch, HBASE-5291.004.patch, HBASE-5291.005-branch-1.patch, > HBASE-5291.005.patch > > > Like HADOOP-7119, the same motivations: > {quote} > Hadoop RPC already supports Kerberos authentication. > {quote} > As does the HBase secure RPC engine. > {quote} > Kerberos enables single sign-on. > Popular browsers (Firefox and Internet Explorer) have support for Kerberos > HTTP SPNEGO. > Adding support for Kerberos HTTP SPNEGO to [HBase] web consoles would provide > a unified authentication mechanism and single sign-on for web UI and RPC. > {quote} > Also like HADOOP-7119, the same solution: > A servlet filter is configured in front of all Hadoop web consoles for > authentication. > This filter verifies if the incoming request is already authenticated by the > presence of a signed HTTP cookie. If the cookie is present, its signature is > valid and its value didn't expire; then the request continues its way to the > page invoked by the request. If the cookie is not present, it is invalid or > it expired; then the request is delegated to an authenticator handler. The > authenticator handler then is responsible for requesting/validating the > user-agent for the user credentials. This may require one or more additional > interactions between the authenticator handler and the user-agent (which will > be multiple HTTP requests). Once the authenticator handler verifies the > credentials and generates an authentication token, a signed cookie is > returned to the user-agent for all subsequent invocations. > The authenticator handler is pluggable and 2 implementations are provided out > of the box: pseudo/simple and kerberos. > 1. The pseudo/simple authenticator handler is equivalent to the Hadoop > pseudo/simple authentication. It trusts the value of the user.name query > string parameter. The pseudo/simple authenticator handler supports an > anonymous mode which accepts any request without requiring the user.name > query string parameter to create the token. This is the default behavior, > preserving the behavior of the HBase web consoles before this patch. > 2. The kerberos authenticator handler implements the Kerberos HTTP SPNEGO > implementation. This authenticator handler will generate a token only if a > successful Kerberos HTTP SPNEGO interaction is performed between the > user-agent and the authenticator. Browsers like Firefox and Internet Explorer > support Kerberos HTTP SPNEGO. > We can build on the support added to Hadoop via HADOOP-7119. Should just be a > matter of wiring up the filter to our infoservers in a similar manner. > And from > https://issues.apache.org/jira/browse/HBASE-5050?focusedCommentId=13171086=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13171086 > {quote} > Hadoop 0.23 onwards has a hadoop-auth artifact that provides SPNEGO/Kerberos > authentication for webapps via a filter. You should consider using it. You > don't have to move Hbase to 0.23 for that, just consume the hadoop-auth > artifact, which has no dependencies on the rest of Hadoop 0.23 artifacts. > {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-5291) Add Kerberos HTTP SPNEGO authentication support to HBase web consoles
[ https://issues.apache.org/jira/browse/HBASE-5291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15332487#comment-15332487 ] Mikhail Antonov commented on HBASE-5291: [~elserj] Skimmed the patch, looks good to me. Did you test it with real cluster as well? Would be also nice to see more reviews in here. [~ghelmling] want to take a look? > Add Kerberos HTTP SPNEGO authentication support to HBase web consoles > - > > Key: HBASE-5291 > URL: https://issues.apache.org/jira/browse/HBASE-5291 > Project: HBase > Issue Type: Improvement > Components: master, regionserver, security >Reporter: Andrew Purtell >Assignee: Josh Elser > Fix For: 2.0.0, 1.4.0, 0.98.21 > > Attachments: HBASE-5291.001.patch, HBASE-5291.002.patch, > HBASE-5291.003.patch, HBASE-5291.004.patch, HBASE-5291.005-branch-1.patch, > HBASE-5291.005.patch > > > Like HADOOP-7119, the same motivations: > {quote} > Hadoop RPC already supports Kerberos authentication. > {quote} > As does the HBase secure RPC engine. > {quote} > Kerberos enables single sign-on. > Popular browsers (Firefox and Internet Explorer) have support for Kerberos > HTTP SPNEGO. > Adding support for Kerberos HTTP SPNEGO to [HBase] web consoles would provide > a unified authentication mechanism and single sign-on for web UI and RPC. > {quote} > Also like HADOOP-7119, the same solution: > A servlet filter is configured in front of all Hadoop web consoles for > authentication. > This filter verifies if the incoming request is already authenticated by the > presence of a signed HTTP cookie. If the cookie is present, its signature is > valid and its value didn't expire; then the request continues its way to the > page invoked by the request. If the cookie is not present, it is invalid or > it expired; then the request is delegated to an authenticator handler. The > authenticator handler then is responsible for requesting/validating the > user-agent for the user credentials. This may require one or more additional > interactions between the authenticator handler and the user-agent (which will > be multiple HTTP requests). Once the authenticator handler verifies the > credentials and generates an authentication token, a signed cookie is > returned to the user-agent for all subsequent invocations. > The authenticator handler is pluggable and 2 implementations are provided out > of the box: pseudo/simple and kerberos. > 1. The pseudo/simple authenticator handler is equivalent to the Hadoop > pseudo/simple authentication. It trusts the value of the user.name query > string parameter. The pseudo/simple authenticator handler supports an > anonymous mode which accepts any request without requiring the user.name > query string parameter to create the token. This is the default behavior, > preserving the behavior of the HBase web consoles before this patch. > 2. The kerberos authenticator handler implements the Kerberos HTTP SPNEGO > implementation. This authenticator handler will generate a token only if a > successful Kerberos HTTP SPNEGO interaction is performed between the > user-agent and the authenticator. Browsers like Firefox and Internet Explorer > support Kerberos HTTP SPNEGO. > We can build on the support added to Hadoop via HADOOP-7119. Should just be a > matter of wiring up the filter to our infoservers in a similar manner. > And from > https://issues.apache.org/jira/browse/HBASE-5050?focusedCommentId=13171086=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13171086 > {quote} > Hadoop 0.23 onwards has a hadoop-auth artifact that provides SPNEGO/Kerberos > authentication for webapps via a filter. You should consider using it. You > don't have to move Hbase to 0.23 for that, just consume the hadoop-auth > artifact, which has no dependencies on the rest of Hadoop 0.23 artifacts. > {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-5291) Add Kerberos HTTP SPNEGO authentication support to HBase web consoles
[ https://issues.apache.org/jira/browse/HBASE-5291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15331921#comment-15331921 ] Josh Elser commented on HBASE-5291: --- [~mantonov], do you want this for 1.3? (going off memory that you're the RM, sorry if I'm wrong :)) > Add Kerberos HTTP SPNEGO authentication support to HBase web consoles > - > > Key: HBASE-5291 > URL: https://issues.apache.org/jira/browse/HBASE-5291 > Project: HBase > Issue Type: Improvement > Components: master, regionserver, security >Reporter: Andrew Purtell >Assignee: Josh Elser > Fix For: 2.0.0 > > Attachments: HBASE-5291.001.patch, HBASE-5291.002.patch, > HBASE-5291.003.patch, HBASE-5291.004.patch, HBASE-5291.005.patch > > > Like HADOOP-7119, the same motivations: > {quote} > Hadoop RPC already supports Kerberos authentication. > {quote} > As does the HBase secure RPC engine. > {quote} > Kerberos enables single sign-on. > Popular browsers (Firefox and Internet Explorer) have support for Kerberos > HTTP SPNEGO. > Adding support for Kerberos HTTP SPNEGO to [HBase] web consoles would provide > a unified authentication mechanism and single sign-on for web UI and RPC. > {quote} > Also like HADOOP-7119, the same solution: > A servlet filter is configured in front of all Hadoop web consoles for > authentication. > This filter verifies if the incoming request is already authenticated by the > presence of a signed HTTP cookie. If the cookie is present, its signature is > valid and its value didn't expire; then the request continues its way to the > page invoked by the request. If the cookie is not present, it is invalid or > it expired; then the request is delegated to an authenticator handler. The > authenticator handler then is responsible for requesting/validating the > user-agent for the user credentials. This may require one or more additional > interactions between the authenticator handler and the user-agent (which will > be multiple HTTP requests). Once the authenticator handler verifies the > credentials and generates an authentication token, a signed cookie is > returned to the user-agent for all subsequent invocations. > The authenticator handler is pluggable and 2 implementations are provided out > of the box: pseudo/simple and kerberos. > 1. The pseudo/simple authenticator handler is equivalent to the Hadoop > pseudo/simple authentication. It trusts the value of the user.name query > string parameter. The pseudo/simple authenticator handler supports an > anonymous mode which accepts any request without requiring the user.name > query string parameter to create the token. This is the default behavior, > preserving the behavior of the HBase web consoles before this patch. > 2. The kerberos authenticator handler implements the Kerberos HTTP SPNEGO > implementation. This authenticator handler will generate a token only if a > successful Kerberos HTTP SPNEGO interaction is performed between the > user-agent and the authenticator. Browsers like Firefox and Internet Explorer > support Kerberos HTTP SPNEGO. > We can build on the support added to Hadoop via HADOOP-7119. Should just be a > matter of wiring up the filter to our infoservers in a similar manner. > And from > https://issues.apache.org/jira/browse/HBASE-5050?focusedCommentId=13171086=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13171086 > {quote} > Hadoop 0.23 onwards has a hadoop-auth artifact that provides SPNEGO/Kerberos > authentication for webapps via a filter. You should consider using it. You > don't have to move Hbase to 0.23 for that, just consume the hadoop-auth > artifact, which has no dependencies on the rest of Hadoop 0.23 artifacts. > {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-5291) Add Kerberos HTTP SPNEGO authentication support to HBase web consoles
[ https://issues.apache.org/jira/browse/HBASE-5291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15331923#comment-15331923 ] Josh Elser commented on HBASE-5291: --- [~apurtell], also tagged 0.98.21. I assume you want this since you filed the original issue :) > Add Kerberos HTTP SPNEGO authentication support to HBase web consoles > - > > Key: HBASE-5291 > URL: https://issues.apache.org/jira/browse/HBASE-5291 > Project: HBase > Issue Type: Improvement > Components: master, regionserver, security >Reporter: Andrew Purtell >Assignee: Josh Elser > Fix For: 2.0.0, 1.4.0, 0.98.21 > > Attachments: HBASE-5291.001.patch, HBASE-5291.002.patch, > HBASE-5291.003.patch, HBASE-5291.004.patch, HBASE-5291.005.patch > > > Like HADOOP-7119, the same motivations: > {quote} > Hadoop RPC already supports Kerberos authentication. > {quote} > As does the HBase secure RPC engine. > {quote} > Kerberos enables single sign-on. > Popular browsers (Firefox and Internet Explorer) have support for Kerberos > HTTP SPNEGO. > Adding support for Kerberos HTTP SPNEGO to [HBase] web consoles would provide > a unified authentication mechanism and single sign-on for web UI and RPC. > {quote} > Also like HADOOP-7119, the same solution: > A servlet filter is configured in front of all Hadoop web consoles for > authentication. > This filter verifies if the incoming request is already authenticated by the > presence of a signed HTTP cookie. If the cookie is present, its signature is > valid and its value didn't expire; then the request continues its way to the > page invoked by the request. If the cookie is not present, it is invalid or > it expired; then the request is delegated to an authenticator handler. The > authenticator handler then is responsible for requesting/validating the > user-agent for the user credentials. This may require one or more additional > interactions between the authenticator handler and the user-agent (which will > be multiple HTTP requests). Once the authenticator handler verifies the > credentials and generates an authentication token, a signed cookie is > returned to the user-agent for all subsequent invocations. > The authenticator handler is pluggable and 2 implementations are provided out > of the box: pseudo/simple and kerberos. > 1. The pseudo/simple authenticator handler is equivalent to the Hadoop > pseudo/simple authentication. It trusts the value of the user.name query > string parameter. The pseudo/simple authenticator handler supports an > anonymous mode which accepts any request without requiring the user.name > query string parameter to create the token. This is the default behavior, > preserving the behavior of the HBase web consoles before this patch. > 2. The kerberos authenticator handler implements the Kerberos HTTP SPNEGO > implementation. This authenticator handler will generate a token only if a > successful Kerberos HTTP SPNEGO interaction is performed between the > user-agent and the authenticator. Browsers like Firefox and Internet Explorer > support Kerberos HTTP SPNEGO. > We can build on the support added to Hadoop via HADOOP-7119. Should just be a > matter of wiring up the filter to our infoservers in a similar manner. > And from > https://issues.apache.org/jira/browse/HBASE-5050?focusedCommentId=13171086=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13171086 > {quote} > Hadoop 0.23 onwards has a hadoop-auth artifact that provides SPNEGO/Kerberos > authentication for webapps via a filter. You should consider using it. You > don't have to move Hbase to 0.23 for that, just consume the hadoop-auth > artifact, which has no dependencies on the rest of Hadoop 0.23 artifacts. > {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-5291) Add Kerberos HTTP SPNEGO authentication support to HBase web consoles
[ https://issues.apache.org/jira/browse/HBASE-5291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15331889#comment-15331889 ] Josh Elser commented on HBASE-5291: --- Thanks [~yuzhih...@gmail.com]. bq. Mind filling out release notes ? Sure. Will do that. > Add Kerberos HTTP SPNEGO authentication support to HBase web consoles > - > > Key: HBASE-5291 > URL: https://issues.apache.org/jira/browse/HBASE-5291 > Project: HBase > Issue Type: Improvement > Components: master, regionserver, security >Reporter: Andrew Purtell >Assignee: Josh Elser > Fix For: 2.0.0 > > Attachments: HBASE-5291.001.patch, HBASE-5291.002.patch, > HBASE-5291.003.patch, HBASE-5291.004.patch, HBASE-5291.005.patch > > > Like HADOOP-7119, the same motivations: > {quote} > Hadoop RPC already supports Kerberos authentication. > {quote} > As does the HBase secure RPC engine. > {quote} > Kerberos enables single sign-on. > Popular browsers (Firefox and Internet Explorer) have support for Kerberos > HTTP SPNEGO. > Adding support for Kerberos HTTP SPNEGO to [HBase] web consoles would provide > a unified authentication mechanism and single sign-on for web UI and RPC. > {quote} > Also like HADOOP-7119, the same solution: > A servlet filter is configured in front of all Hadoop web consoles for > authentication. > This filter verifies if the incoming request is already authenticated by the > presence of a signed HTTP cookie. If the cookie is present, its signature is > valid and its value didn't expire; then the request continues its way to the > page invoked by the request. If the cookie is not present, it is invalid or > it expired; then the request is delegated to an authenticator handler. The > authenticator handler then is responsible for requesting/validating the > user-agent for the user credentials. This may require one or more additional > interactions between the authenticator handler and the user-agent (which will > be multiple HTTP requests). Once the authenticator handler verifies the > credentials and generates an authentication token, a signed cookie is > returned to the user-agent for all subsequent invocations. > The authenticator handler is pluggable and 2 implementations are provided out > of the box: pseudo/simple and kerberos. > 1. The pseudo/simple authenticator handler is equivalent to the Hadoop > pseudo/simple authentication. It trusts the value of the user.name query > string parameter. The pseudo/simple authenticator handler supports an > anonymous mode which accepts any request without requiring the user.name > query string parameter to create the token. This is the default behavior, > preserving the behavior of the HBase web consoles before this patch. > 2. The kerberos authenticator handler implements the Kerberos HTTP SPNEGO > implementation. This authenticator handler will generate a token only if a > successful Kerberos HTTP SPNEGO interaction is performed between the > user-agent and the authenticator. Browsers like Firefox and Internet Explorer > support Kerberos HTTP SPNEGO. > We can build on the support added to Hadoop via HADOOP-7119. Should just be a > matter of wiring up the filter to our infoservers in a similar manner. > And from > https://issues.apache.org/jira/browse/HBASE-5050?focusedCommentId=13171086=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13171086 > {quote} > Hadoop 0.23 onwards has a hadoop-auth artifact that provides SPNEGO/Kerberos > authentication for webapps via a filter. You should consider using it. You > don't have to move Hbase to 0.23 for that, just consume the hadoop-auth > artifact, which has no dependencies on the rest of Hadoop 0.23 artifacts. > {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-5291) Add Kerberos HTTP SPNEGO authentication support to HBase web consoles
[ https://issues.apache.org/jira/browse/HBASE-5291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15330813#comment-15330813 ] Ted Yu commented on HBASE-5291: --- lgtm Mind filling out release notes ? > Add Kerberos HTTP SPNEGO authentication support to HBase web consoles > - > > Key: HBASE-5291 > URL: https://issues.apache.org/jira/browse/HBASE-5291 > Project: HBase > Issue Type: Improvement > Components: master, regionserver, security >Reporter: Andrew Purtell >Assignee: Josh Elser > Fix For: 2.0.0 > > Attachments: HBASE-5291.001.patch, HBASE-5291.002.patch, > HBASE-5291.003.patch, HBASE-5291.004.patch, HBASE-5291.005.patch > > > Like HADOOP-7119, the same motivations: > {quote} > Hadoop RPC already supports Kerberos authentication. > {quote} > As does the HBase secure RPC engine. > {quote} > Kerberos enables single sign-on. > Popular browsers (Firefox and Internet Explorer) have support for Kerberos > HTTP SPNEGO. > Adding support for Kerberos HTTP SPNEGO to [HBase] web consoles would provide > a unified authentication mechanism and single sign-on for web UI and RPC. > {quote} > Also like HADOOP-7119, the same solution: > A servlet filter is configured in front of all Hadoop web consoles for > authentication. > This filter verifies if the incoming request is already authenticated by the > presence of a signed HTTP cookie. If the cookie is present, its signature is > valid and its value didn't expire; then the request continues its way to the > page invoked by the request. If the cookie is not present, it is invalid or > it expired; then the request is delegated to an authenticator handler. The > authenticator handler then is responsible for requesting/validating the > user-agent for the user credentials. This may require one or more additional > interactions between the authenticator handler and the user-agent (which will > be multiple HTTP requests). Once the authenticator handler verifies the > credentials and generates an authentication token, a signed cookie is > returned to the user-agent for all subsequent invocations. > The authenticator handler is pluggable and 2 implementations are provided out > of the box: pseudo/simple and kerberos. > 1. The pseudo/simple authenticator handler is equivalent to the Hadoop > pseudo/simple authentication. It trusts the value of the user.name query > string parameter. The pseudo/simple authenticator handler supports an > anonymous mode which accepts any request without requiring the user.name > query string parameter to create the token. This is the default behavior, > preserving the behavior of the HBase web consoles before this patch. > 2. The kerberos authenticator handler implements the Kerberos HTTP SPNEGO > implementation. This authenticator handler will generate a token only if a > successful Kerberos HTTP SPNEGO interaction is performed between the > user-agent and the authenticator. Browsers like Firefox and Internet Explorer > support Kerberos HTTP SPNEGO. > We can build on the support added to Hadoop via HADOOP-7119. Should just be a > matter of wiring up the filter to our infoservers in a similar manner. > And from > https://issues.apache.org/jira/browse/HBASE-5050?focusedCommentId=13171086=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13171086 > {quote} > Hadoop 0.23 onwards has a hadoop-auth artifact that provides SPNEGO/Kerberos > authentication for webapps via a filter. You should consider using it. You > don't have to move Hbase to 0.23 for that, just consume the hadoop-auth > artifact, which has no dependencies on the rest of Hadoop 0.23 artifacts. > {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-5291) Add Kerberos HTTP SPNEGO authentication support to HBase web consoles
[ https://issues.apache.org/jira/browse/HBASE-5291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15329584#comment-15329584 ] Josh Elser commented on HBASE-5291: --- Test failures seem spurious and the compiler warnings are irrelevant to these changes (not sure why they were triggered are "new") > Add Kerberos HTTP SPNEGO authentication support to HBase web consoles > - > > Key: HBASE-5291 > URL: https://issues.apache.org/jira/browse/HBASE-5291 > Project: HBase > Issue Type: Improvement > Components: master, regionserver, security >Reporter: Andrew Purtell >Assignee: Josh Elser > Fix For: 2.0.0 > > Attachments: HBASE-5291.001.patch, HBASE-5291.002.patch, > HBASE-5291.003.patch, HBASE-5291.004.patch, HBASE-5291.005.patch > > > Like HADOOP-7119, the same motivations: > {quote} > Hadoop RPC already supports Kerberos authentication. > {quote} > As does the HBase secure RPC engine. > {quote} > Kerberos enables single sign-on. > Popular browsers (Firefox and Internet Explorer) have support for Kerberos > HTTP SPNEGO. > Adding support for Kerberos HTTP SPNEGO to [HBase] web consoles would provide > a unified authentication mechanism and single sign-on for web UI and RPC. > {quote} > Also like HADOOP-7119, the same solution: > A servlet filter is configured in front of all Hadoop web consoles for > authentication. > This filter verifies if the incoming request is already authenticated by the > presence of a signed HTTP cookie. If the cookie is present, its signature is > valid and its value didn't expire; then the request continues its way to the > page invoked by the request. If the cookie is not present, it is invalid or > it expired; then the request is delegated to an authenticator handler. The > authenticator handler then is responsible for requesting/validating the > user-agent for the user credentials. This may require one or more additional > interactions between the authenticator handler and the user-agent (which will > be multiple HTTP requests). Once the authenticator handler verifies the > credentials and generates an authentication token, a signed cookie is > returned to the user-agent for all subsequent invocations. > The authenticator handler is pluggable and 2 implementations are provided out > of the box: pseudo/simple and kerberos. > 1. The pseudo/simple authenticator handler is equivalent to the Hadoop > pseudo/simple authentication. It trusts the value of the user.name query > string parameter. The pseudo/simple authenticator handler supports an > anonymous mode which accepts any request without requiring the user.name > query string parameter to create the token. This is the default behavior, > preserving the behavior of the HBase web consoles before this patch. > 2. The kerberos authenticator handler implements the Kerberos HTTP SPNEGO > implementation. This authenticator handler will generate a token only if a > successful Kerberos HTTP SPNEGO interaction is performed between the > user-agent and the authenticator. Browsers like Firefox and Internet Explorer > support Kerberos HTTP SPNEGO. > We can build on the support added to Hadoop via HADOOP-7119. Should just be a > matter of wiring up the filter to our infoservers in a similar manner. > And from > https://issues.apache.org/jira/browse/HBASE-5050?focusedCommentId=13171086=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13171086 > {quote} > Hadoop 0.23 onwards has a hadoop-auth artifact that provides SPNEGO/Kerberos > authentication for webapps via a filter. You should consider using it. You > don't have to move Hbase to 0.23 for that, just consume the hadoop-auth > artifact, which has no dependencies on the rest of Hadoop 0.23 artifacts. > {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-5291) Add Kerberos HTTP SPNEGO authentication support to HBase web consoles
[ https://issues.apache.org/jira/browse/HBASE-5291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15328873#comment-15328873 ] Hadoop QA commented on HBASE-5291: -- | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:green}+1{color} | {color:green} hbaseanti {color} | {color:green} 0m 0s {color} | {color:green} Patch does not have any anti-patterns. {color} | | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s {color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s {color} | {color:green} The patch appears to include 2 new or modified test files. {color} | | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 19s {color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 3m 22s {color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 3m 21s {color} | {color:green} master passed with JDK v1.8.0 {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 3m 6s {color} | {color:green} master passed with JDK v1.7.0_79 {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 1m 50s {color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 1m 19s {color} | {color:green} master passed {color} | | {color:blue}0{color} | {color:blue} findbugs {color} | {color:blue} 0m 0s {color} | {color:blue} Skipped branch modules with no Java source: . {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 1m 54s {color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 3m 2s {color} | {color:green} master passed with JDK v1.8.0 {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 2m 52s {color} | {color:green} master passed with JDK v1.7.0_79 {color} | | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 11s {color} | {color:blue} Maven dependency ordering for patch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 3m 33s {color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 3m 4s {color} | {color:green} the patch passed with JDK v1.8.0 {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 3m 4s {color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 3m 2s {color} | {color:green} the patch passed with JDK v1.7.0_79 {color} | | {color:red}-1{color} | {color:red} javac {color} | {color:red} 9m 50s {color} | {color:red} hbase-server-jdk1.7.0_79 with JDK v1.7.0_79 generated 2 new + 4 unchanged - 2 fixed = 6 total (was 6) {color} | | {color:red}-1{color} | {color:red} javac {color} | {color:red} 9m 51s {color} | {color:red} root-jdk1.7.0_79 with JDK v1.7.0_79 generated 2 new + 35 unchanged - 2 fixed = 37 total (was 37) {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 3m 2s {color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 1m 55s {color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 1m 28s {color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s {color} | {color:green} Patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} xml {color} | {color:green} 0m 2s {color} | {color:green} The patch has no ill-formed XML file. {color} | | {color:green}+1{color} | {color:green} hadoopcheck {color} | {color:green} 28m 14s {color} | {color:green} Patch does not cause any errors with Hadoop 2.4.0 2.4.1 2.5.0 2.5.1 2.5.2 2.6.1 2.6.2 2.6.3 2.7.1. {color} | | {color:blue}0{color} | {color:blue} findbugs {color} | {color:blue} 0m 0s {color} | {color:blue} Skipped patch modules with no Java source: . {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 2m 16s {color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 3m 2s {color} | {color:green} the patch passed with JDK v1.8.0 {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 3m 35s {color} | {color:green} the patch passed with JDK v1.7.0_79 {color} | | {color:red}-1{color} | {color:red} unit {color} | {color:red} 108m 11s {color} | {color:red} hbase-server in the patch failed. {color} | |
[jira] [Commented] (HBASE-5291) Add Kerberos HTTP SPNEGO authentication support to HBase web consoles
[ https://issues.apache.org/jira/browse/HBASE-5291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15328823#comment-15328823 ] Hadoop QA commented on HBASE-5291: -- | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:green}+1{color} | {color:green} hbaseanti {color} | {color:green} 0m 0s {color} | {color:green} Patch does not have any anti-patterns. {color} | | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s {color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s {color} | {color:green} The patch appears to include 2 new or modified test files. {color} | | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 11s {color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 3m 27s {color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 3m 51s {color} | {color:green} master passed with JDK v1.8.0 {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 3m 27s {color} | {color:green} master passed with JDK v1.7.0_79 {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 2m 8s {color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 1m 30s {color} | {color:green} master passed {color} | | {color:blue}0{color} | {color:blue} findbugs {color} | {color:blue} 0m 0s {color} | {color:blue} Skipped branch modules with no Java source: . {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 2m 10s {color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 3m 25s {color} | {color:green} master passed with JDK v1.8.0 {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 3m 36s {color} | {color:green} master passed with JDK v1.7.0_79 {color} | | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 13s {color} | {color:blue} Maven dependency ordering for patch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 4m 24s {color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 3m 38s {color} | {color:green} the patch passed with JDK v1.8.0 {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 3m 38s {color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 3m 36s {color} | {color:green} the patch passed with JDK v1.7.0_79 {color} | | {color:red}-1{color} | {color:red} javac {color} | {color:red} 11m 52s {color} | {color:red} hbase-server-jdk1.7.0_79 with JDK v1.7.0_79 generated 2 new + 4 unchanged - 2 fixed = 6 total (was 6) {color} | | {color:red}-1{color} | {color:red} javac {color} | {color:red} 11m 52s {color} | {color:red} root-jdk1.7.0_79 with JDK v1.7.0_79 generated 2 new + 35 unchanged - 2 fixed = 37 total (was 37) {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 3m 36s {color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 2m 4s {color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 1m 34s {color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s {color} | {color:green} Patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} xml {color} | {color:green} 0m 1s {color} | {color:green} The patch has no ill-formed XML file. {color} | | {color:green}+1{color} | {color:green} hadoopcheck {color} | {color:green} 28m 54s {color} | {color:green} Patch does not cause any errors with Hadoop 2.4.0 2.4.1 2.5.0 2.5.1 2.5.2 2.6.1 2.6.2 2.6.3 2.7.1. {color} | | {color:blue}0{color} | {color:blue} findbugs {color} | {color:blue} 0m 0s {color} | {color:blue} Skipped patch modules with no Java source: . {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 2m 8s {color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 2m 49s {color} | {color:green} the patch passed with JDK v1.8.0 {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 2m 55s {color} | {color:green} the patch passed with JDK v1.7.0_79 {color} | | {color:red}-1{color} | {color:red} unit {color} | {color:red} 88m 37s {color} | {color:red} hbase-server in the patch failed. {color} | |
[jira] [Commented] (HBASE-5291) Add Kerberos HTTP SPNEGO authentication support to HBase web consoles
[ https://issues.apache.org/jira/browse/HBASE-5291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15328437#comment-15328437 ] Josh Elser commented on HBASE-5291: --- bq. I thought the default value would be good to have any way, because probably you won't want to trouble users to configure it? Maybe "signature.secret" could be better? Ok, I get what you're suggesting now. Just took me a moment. I'll rename the property to something that doesn't include "spnego" in it, and also copy some of the possible values for it out of Hadoop's javadoc. > Add Kerberos HTTP SPNEGO authentication support to HBase web consoles > - > > Key: HBASE-5291 > URL: https://issues.apache.org/jira/browse/HBASE-5291 > Project: HBase > Issue Type: Improvement > Components: master, regionserver, security >Reporter: Andrew Purtell >Assignee: Josh Elser > Fix For: 2.0.0 > > Attachments: HBASE-5291.001.patch, HBASE-5291.002.patch, > HBASE-5291.003.patch, HBASE-5291.004.patch > > > Like HADOOP-7119, the same motivations: > {quote} > Hadoop RPC already supports Kerberos authentication. > {quote} > As does the HBase secure RPC engine. > {quote} > Kerberos enables single sign-on. > Popular browsers (Firefox and Internet Explorer) have support for Kerberos > HTTP SPNEGO. > Adding support for Kerberos HTTP SPNEGO to [HBase] web consoles would provide > a unified authentication mechanism and single sign-on for web UI and RPC. > {quote} > Also like HADOOP-7119, the same solution: > A servlet filter is configured in front of all Hadoop web consoles for > authentication. > This filter verifies if the incoming request is already authenticated by the > presence of a signed HTTP cookie. If the cookie is present, its signature is > valid and its value didn't expire; then the request continues its way to the > page invoked by the request. If the cookie is not present, it is invalid or > it expired; then the request is delegated to an authenticator handler. The > authenticator handler then is responsible for requesting/validating the > user-agent for the user credentials. This may require one or more additional > interactions between the authenticator handler and the user-agent (which will > be multiple HTTP requests). Once the authenticator handler verifies the > credentials and generates an authentication token, a signed cookie is > returned to the user-agent for all subsequent invocations. > The authenticator handler is pluggable and 2 implementations are provided out > of the box: pseudo/simple and kerberos. > 1. The pseudo/simple authenticator handler is equivalent to the Hadoop > pseudo/simple authentication. It trusts the value of the user.name query > string parameter. The pseudo/simple authenticator handler supports an > anonymous mode which accepts any request without requiring the user.name > query string parameter to create the token. This is the default behavior, > preserving the behavior of the HBase web consoles before this patch. > 2. The kerberos authenticator handler implements the Kerberos HTTP SPNEGO > implementation. This authenticator handler will generate a token only if a > successful Kerberos HTTP SPNEGO interaction is performed between the > user-agent and the authenticator. Browsers like Firefox and Internet Explorer > support Kerberos HTTP SPNEGO. > We can build on the support added to Hadoop via HADOOP-7119. Should just be a > matter of wiring up the filter to our infoservers in a similar manner. > And from > https://issues.apache.org/jira/browse/HBASE-5050?focusedCommentId=13171086=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13171086 > {quote} > Hadoop 0.23 onwards has a hadoop-auth artifact that provides SPNEGO/Kerberos > authentication for webapps via a filter. You should consider using it. You > don't have to move Hbase to 0.23 for that, just consume the hadoop-auth > artifact, which has no dependencies on the rest of Hadoop 0.23 artifacts. > {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-5291) Add Kerberos HTTP SPNEGO authentication support to HBase web consoles
[ https://issues.apache.org/jira/browse/HBASE-5291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15328430#comment-15328430 ] Kai Zheng commented on HBASE-5291: -- bq. i'm not sure anymore why I have a default value of "privacy" in the docs. I thought the default value would be good to have any way, because probably you won't want to trouble users to configure it? Maybe "signature.secret" could be better? > Add Kerberos HTTP SPNEGO authentication support to HBase web consoles > - > > Key: HBASE-5291 > URL: https://issues.apache.org/jira/browse/HBASE-5291 > Project: HBase > Issue Type: Improvement > Components: master, regionserver, security >Reporter: Andrew Purtell >Assignee: Josh Elser > Fix For: 2.0.0 > > Attachments: HBASE-5291.001.patch, HBASE-5291.002.patch, > HBASE-5291.003.patch, HBASE-5291.004.patch > > > Like HADOOP-7119, the same motivations: > {quote} > Hadoop RPC already supports Kerberos authentication. > {quote} > As does the HBase secure RPC engine. > {quote} > Kerberos enables single sign-on. > Popular browsers (Firefox and Internet Explorer) have support for Kerberos > HTTP SPNEGO. > Adding support for Kerberos HTTP SPNEGO to [HBase] web consoles would provide > a unified authentication mechanism and single sign-on for web UI and RPC. > {quote} > Also like HADOOP-7119, the same solution: > A servlet filter is configured in front of all Hadoop web consoles for > authentication. > This filter verifies if the incoming request is already authenticated by the > presence of a signed HTTP cookie. If the cookie is present, its signature is > valid and its value didn't expire; then the request continues its way to the > page invoked by the request. If the cookie is not present, it is invalid or > it expired; then the request is delegated to an authenticator handler. The > authenticator handler then is responsible for requesting/validating the > user-agent for the user credentials. This may require one or more additional > interactions between the authenticator handler and the user-agent (which will > be multiple HTTP requests). Once the authenticator handler verifies the > credentials and generates an authentication token, a signed cookie is > returned to the user-agent for all subsequent invocations. > The authenticator handler is pluggable and 2 implementations are provided out > of the box: pseudo/simple and kerberos. > 1. The pseudo/simple authenticator handler is equivalent to the Hadoop > pseudo/simple authentication. It trusts the value of the user.name query > string parameter. The pseudo/simple authenticator handler supports an > anonymous mode which accepts any request without requiring the user.name > query string parameter to create the token. This is the default behavior, > preserving the behavior of the HBase web consoles before this patch. > 2. The kerberos authenticator handler implements the Kerberos HTTP SPNEGO > implementation. This authenticator handler will generate a token only if a > successful Kerberos HTTP SPNEGO interaction is performed between the > user-agent and the authenticator. Browsers like Firefox and Internet Explorer > support Kerberos HTTP SPNEGO. > We can build on the support added to Hadoop via HADOOP-7119. Should just be a > matter of wiring up the filter to our infoservers in a similar manner. > And from > https://issues.apache.org/jira/browse/HBASE-5050?focusedCommentId=13171086=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13171086 > {quote} > Hadoop 0.23 onwards has a hadoop-auth artifact that provides SPNEGO/Kerberos > authentication for webapps via a filter. You should consider using it. You > don't have to move Hbase to 0.23 for that, just consume the hadoop-auth > artifact, which has no dependencies on the rest of Hadoop 0.23 artifacts. > {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-5291) Add Kerberos HTTP SPNEGO authentication support to HBase web consoles
[ https://issues.apache.org/jira/browse/HBASE-5291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15328423#comment-15328423 ] Kai Zheng commented on HBASE-5291: -- Thanks [~elserj] for the consideration. Regarding the cookie signature file, I just checked in Hadoop it uses the key {{hadoop.http.authentication.signature.secret.file}}. The value can be used in other means than just Kerberos, you could look at {{AuthenticationFilter}} class in Hadoop codebase to check this. > Add Kerberos HTTP SPNEGO authentication support to HBase web consoles > - > > Key: HBASE-5291 > URL: https://issues.apache.org/jira/browse/HBASE-5291 > Project: HBase > Issue Type: Improvement > Components: master, regionserver, security >Reporter: Andrew Purtell >Assignee: Josh Elser > Fix For: 2.0.0 > > Attachments: HBASE-5291.001.patch, HBASE-5291.002.patch, > HBASE-5291.003.patch, HBASE-5291.004.patch > > > Like HADOOP-7119, the same motivations: > {quote} > Hadoop RPC already supports Kerberos authentication. > {quote} > As does the HBase secure RPC engine. > {quote} > Kerberos enables single sign-on. > Popular browsers (Firefox and Internet Explorer) have support for Kerberos > HTTP SPNEGO. > Adding support for Kerberos HTTP SPNEGO to [HBase] web consoles would provide > a unified authentication mechanism and single sign-on for web UI and RPC. > {quote} > Also like HADOOP-7119, the same solution: > A servlet filter is configured in front of all Hadoop web consoles for > authentication. > This filter verifies if the incoming request is already authenticated by the > presence of a signed HTTP cookie. If the cookie is present, its signature is > valid and its value didn't expire; then the request continues its way to the > page invoked by the request. If the cookie is not present, it is invalid or > it expired; then the request is delegated to an authenticator handler. The > authenticator handler then is responsible for requesting/validating the > user-agent for the user credentials. This may require one or more additional > interactions between the authenticator handler and the user-agent (which will > be multiple HTTP requests). Once the authenticator handler verifies the > credentials and generates an authentication token, a signed cookie is > returned to the user-agent for all subsequent invocations. > The authenticator handler is pluggable and 2 implementations are provided out > of the box: pseudo/simple and kerberos. > 1. The pseudo/simple authenticator handler is equivalent to the Hadoop > pseudo/simple authentication. It trusts the value of the user.name query > string parameter. The pseudo/simple authenticator handler supports an > anonymous mode which accepts any request without requiring the user.name > query string parameter to create the token. This is the default behavior, > preserving the behavior of the HBase web consoles before this patch. > 2. The kerberos authenticator handler implements the Kerberos HTTP SPNEGO > implementation. This authenticator handler will generate a token only if a > successful Kerberos HTTP SPNEGO interaction is performed between the > user-agent and the authenticator. Browsers like Firefox and Internet Explorer > support Kerberos HTTP SPNEGO. > We can build on the support added to Hadoop via HADOOP-7119. Should just be a > matter of wiring up the filter to our infoservers in a similar manner. > And from > https://issues.apache.org/jira/browse/HBASE-5050?focusedCommentId=13171086=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13171086 > {quote} > Hadoop 0.23 onwards has a hadoop-auth artifact that provides SPNEGO/Kerberos > authentication for webapps via a filter. You should consider using it. You > don't have to move Hbase to 0.23 for that, just consume the hadoop-auth > artifact, which has no dependencies on the rest of Hadoop 0.23 artifacts. > {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-5291) Add Kerberos HTTP SPNEGO authentication support to HBase web consoles
[ https://issues.apache.org/jira/browse/HBASE-5291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15328408#comment-15328408 ] Josh Elser commented on HBASE-5291: --- Thanks for the review [~drankye] (sorry, I missed your comments before posting .004) bq. A minor. Maybe getOrNull could return a null or a non-empty string, so the checking of the returned value could be simpler? Yup, that would remove a little bit of code. Probably worth it. bq. Together with deleteRecursively and getFreePort, wonder in HBase if there is any utility class to hold these. If nothing else, I can always lift them up to HttpServerFunctionalTest. I'm not sure if there is a better home for them. bq. I would suggest not coupling cookie signature with the Kerberos/SPNEGO mechanism, because it's not the mechanism specific, and we might need it as well in other mechanisms like simple, token and etc. in future. This was something I was just pulling out of Hadoop's KerberosAuthenticationFilter. (aside, i'm not sure anymore why I have a default value of "privacy" in the docs... bad copy-paste probably). > Add Kerberos HTTP SPNEGO authentication support to HBase web consoles > - > > Key: HBASE-5291 > URL: https://issues.apache.org/jira/browse/HBASE-5291 > Project: HBase > Issue Type: Improvement > Components: master, regionserver, security >Reporter: Andrew Purtell >Assignee: Josh Elser > Fix For: 2.0.0 > > Attachments: HBASE-5291.001.patch, HBASE-5291.002.patch, > HBASE-5291.003.patch, HBASE-5291.004.patch > > > Like HADOOP-7119, the same motivations: > {quote} > Hadoop RPC already supports Kerberos authentication. > {quote} > As does the HBase secure RPC engine. > {quote} > Kerberos enables single sign-on. > Popular browsers (Firefox and Internet Explorer) have support for Kerberos > HTTP SPNEGO. > Adding support for Kerberos HTTP SPNEGO to [HBase] web consoles would provide > a unified authentication mechanism and single sign-on for web UI and RPC. > {quote} > Also like HADOOP-7119, the same solution: > A servlet filter is configured in front of all Hadoop web consoles for > authentication. > This filter verifies if the incoming request is already authenticated by the > presence of a signed HTTP cookie. If the cookie is present, its signature is > valid and its value didn't expire; then the request continues its way to the > page invoked by the request. If the cookie is not present, it is invalid or > it expired; then the request is delegated to an authenticator handler. The > authenticator handler then is responsible for requesting/validating the > user-agent for the user credentials. This may require one or more additional > interactions between the authenticator handler and the user-agent (which will > be multiple HTTP requests). Once the authenticator handler verifies the > credentials and generates an authentication token, a signed cookie is > returned to the user-agent for all subsequent invocations. > The authenticator handler is pluggable and 2 implementations are provided out > of the box: pseudo/simple and kerberos. > 1. The pseudo/simple authenticator handler is equivalent to the Hadoop > pseudo/simple authentication. It trusts the value of the user.name query > string parameter. The pseudo/simple authenticator handler supports an > anonymous mode which accepts any request without requiring the user.name > query string parameter to create the token. This is the default behavior, > preserving the behavior of the HBase web consoles before this patch. > 2. The kerberos authenticator handler implements the Kerberos HTTP SPNEGO > implementation. This authenticator handler will generate a token only if a > successful Kerberos HTTP SPNEGO interaction is performed between the > user-agent and the authenticator. Browsers like Firefox and Internet Explorer > support Kerberos HTTP SPNEGO. > We can build on the support added to Hadoop via HADOOP-7119. Should just be a > matter of wiring up the filter to our infoservers in a similar manner. > And from > https://issues.apache.org/jira/browse/HBASE-5050?focusedCommentId=13171086=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13171086 > {quote} > Hadoop 0.23 onwards has a hadoop-auth artifact that provides SPNEGO/Kerberos > authentication for webapps via a filter. You should consider using it. You > don't have to move Hbase to 0.23 for that, just consume the hadoop-auth > artifact, which has no dependencies on the rest of Hadoop 0.23 artifacts. > {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-5291) Add Kerberos HTTP SPNEGO authentication support to HBase web consoles
[ https://issues.apache.org/jira/browse/HBASE-5291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15328392#comment-15328392 ] Kai Zheng commented on HBASE-5291: -- Also took a look by the chance: 1. A minor. Maybe {{getOrNull}} could return a null or a non-empty string, so the checking of the returned value could be simpler? Together with {{deleteRecursively}} and {{getFreePort}}, wonder in HBase if there is any utility class to hold these. 2. I would suggest not coupling cookie signature with the Kerberos/SPNEGO mechanism, because it's not the mechanism specific, and we might need it as well in other mechanisms like simple, token and etc. in future. {code} + + hbase.security.authentication.spnego.signature.secret.file + privacy + Optional, a file whose contents will be used as a secret to sign the HTTP cookies + as a part of the SPNEGO authentication handshake. If this is not provided, Java's `Random` library + will be used for the secret. + {code} Thanks! > Add Kerberos HTTP SPNEGO authentication support to HBase web consoles > - > > Key: HBASE-5291 > URL: https://issues.apache.org/jira/browse/HBASE-5291 > Project: HBase > Issue Type: Improvement > Components: master, regionserver, security >Reporter: Andrew Purtell >Assignee: Josh Elser > Fix For: 2.0.0 > > Attachments: HBASE-5291.001.patch, HBASE-5291.002.patch, > HBASE-5291.003.patch > > > Like HADOOP-7119, the same motivations: > {quote} > Hadoop RPC already supports Kerberos authentication. > {quote} > As does the HBase secure RPC engine. > {quote} > Kerberos enables single sign-on. > Popular browsers (Firefox and Internet Explorer) have support for Kerberos > HTTP SPNEGO. > Adding support for Kerberos HTTP SPNEGO to [HBase] web consoles would provide > a unified authentication mechanism and single sign-on for web UI and RPC. > {quote} > Also like HADOOP-7119, the same solution: > A servlet filter is configured in front of all Hadoop web consoles for > authentication. > This filter verifies if the incoming request is already authenticated by the > presence of a signed HTTP cookie. If the cookie is present, its signature is > valid and its value didn't expire; then the request continues its way to the > page invoked by the request. If the cookie is not present, it is invalid or > it expired; then the request is delegated to an authenticator handler. The > authenticator handler then is responsible for requesting/validating the > user-agent for the user credentials. This may require one or more additional > interactions between the authenticator handler and the user-agent (which will > be multiple HTTP requests). Once the authenticator handler verifies the > credentials and generates an authentication token, a signed cookie is > returned to the user-agent for all subsequent invocations. > The authenticator handler is pluggable and 2 implementations are provided out > of the box: pseudo/simple and kerberos. > 1. The pseudo/simple authenticator handler is equivalent to the Hadoop > pseudo/simple authentication. It trusts the value of the user.name query > string parameter. The pseudo/simple authenticator handler supports an > anonymous mode which accepts any request without requiring the user.name > query string parameter to create the token. This is the default behavior, > preserving the behavior of the HBase web consoles before this patch. > 2. The kerberos authenticator handler implements the Kerberos HTTP SPNEGO > implementation. This authenticator handler will generate a token only if a > successful Kerberos HTTP SPNEGO interaction is performed between the > user-agent and the authenticator. Browsers like Firefox and Internet Explorer > support Kerberos HTTP SPNEGO. > We can build on the support added to Hadoop via HADOOP-7119. Should just be a > matter of wiring up the filter to our infoservers in a similar manner. > And from > https://issues.apache.org/jira/browse/HBASE-5050?focusedCommentId=13171086=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13171086 > {quote} > Hadoop 0.23 onwards has a hadoop-auth artifact that provides SPNEGO/Kerberos > authentication for webapps via a filter. You should consider using it. You > don't have to move Hbase to 0.23 for that, just consume the hadoop-auth > artifact, which has no dependencies on the rest of Hadoop 0.23 artifacts. > {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-5291) Add Kerberos HTTP SPNEGO authentication support to HBase web consoles
[ https://issues.apache.org/jira/browse/HBASE-5291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15328338#comment-15328338 ] Josh Elser commented on HBASE-5291: --- bq. Kerberos errrors are often hard to understand, so may be it's worth to check whether all required params are present and throw human readable error about it instead of relying on kerberos AI. Ahh, that's a good point. Fail-fast is definitely something we can (and should) do in HBase land instead of letting it filter up into Hadoop. [~devaraj] had also mentioned to me offline that setting the Kerberos authentication value for {{hbase.security.authentication.ui}} to {{kerberos}} instead of {{spnego}} might be better. After re-skimming the patch and realizing that AuthenticationFilter also uses Kerberos (and not SPNEGO), I'm inclined to agree with him. Let me put together a .004 quick. > Add Kerberos HTTP SPNEGO authentication support to HBase web consoles > - > > Key: HBASE-5291 > URL: https://issues.apache.org/jira/browse/HBASE-5291 > Project: HBase > Issue Type: Improvement > Components: master, regionserver, security >Reporter: Andrew Purtell >Assignee: Josh Elser > Fix For: 2.0.0 > > Attachments: HBASE-5291.001.patch, HBASE-5291.002.patch, > HBASE-5291.003.patch > > > Like HADOOP-7119, the same motivations: > {quote} > Hadoop RPC already supports Kerberos authentication. > {quote} > As does the HBase secure RPC engine. > {quote} > Kerberos enables single sign-on. > Popular browsers (Firefox and Internet Explorer) have support for Kerberos > HTTP SPNEGO. > Adding support for Kerberos HTTP SPNEGO to [HBase] web consoles would provide > a unified authentication mechanism and single sign-on for web UI and RPC. > {quote} > Also like HADOOP-7119, the same solution: > A servlet filter is configured in front of all Hadoop web consoles for > authentication. > This filter verifies if the incoming request is already authenticated by the > presence of a signed HTTP cookie. If the cookie is present, its signature is > valid and its value didn't expire; then the request continues its way to the > page invoked by the request. If the cookie is not present, it is invalid or > it expired; then the request is delegated to an authenticator handler. The > authenticator handler then is responsible for requesting/validating the > user-agent for the user credentials. This may require one or more additional > interactions between the authenticator handler and the user-agent (which will > be multiple HTTP requests). Once the authenticator handler verifies the > credentials and generates an authentication token, a signed cookie is > returned to the user-agent for all subsequent invocations. > The authenticator handler is pluggable and 2 implementations are provided out > of the box: pseudo/simple and kerberos. > 1. The pseudo/simple authenticator handler is equivalent to the Hadoop > pseudo/simple authentication. It trusts the value of the user.name query > string parameter. The pseudo/simple authenticator handler supports an > anonymous mode which accepts any request without requiring the user.name > query string parameter to create the token. This is the default behavior, > preserving the behavior of the HBase web consoles before this patch. > 2. The kerberos authenticator handler implements the Kerberos HTTP SPNEGO > implementation. This authenticator handler will generate a token only if a > successful Kerberos HTTP SPNEGO interaction is performed between the > user-agent and the authenticator. Browsers like Firefox and Internet Explorer > support Kerberos HTTP SPNEGO. > We can build on the support added to Hadoop via HADOOP-7119. Should just be a > matter of wiring up the filter to our infoservers in a similar manner. > And from > https://issues.apache.org/jira/browse/HBASE-5050?focusedCommentId=13171086=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13171086 > {quote} > Hadoop 0.23 onwards has a hadoop-auth artifact that provides SPNEGO/Kerberos > authentication for webapps via a filter. You should consider using it. You > don't have to move Hbase to 0.23 for that, just consume the hadoop-auth > artifact, which has no dependencies on the rest of Hadoop 0.23 artifacts. > {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-5291) Add Kerberos HTTP SPNEGO authentication support to HBase web consoles
[ https://issues.apache.org/jira/browse/HBASE-5291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15328312#comment-15328312 ] Sergey Soldatov commented on HBASE-5291: The only thing I'm worry about is the auth failures errors in case if some of the parameters is missing. Kerberos errrors are often hard to understand, so may be it's worth to check whether all required params are present and throw human readable error about it instead of relying on kerberos AI. > Add Kerberos HTTP SPNEGO authentication support to HBase web consoles > - > > Key: HBASE-5291 > URL: https://issues.apache.org/jira/browse/HBASE-5291 > Project: HBase > Issue Type: Improvement > Components: master, regionserver, security >Reporter: Andrew Purtell >Assignee: Josh Elser > Fix For: 2.0.0 > > Attachments: HBASE-5291.001.patch, HBASE-5291.002.patch, > HBASE-5291.003.patch > > > Like HADOOP-7119, the same motivations: > {quote} > Hadoop RPC already supports Kerberos authentication. > {quote} > As does the HBase secure RPC engine. > {quote} > Kerberos enables single sign-on. > Popular browsers (Firefox and Internet Explorer) have support for Kerberos > HTTP SPNEGO. > Adding support for Kerberos HTTP SPNEGO to [HBase] web consoles would provide > a unified authentication mechanism and single sign-on for web UI and RPC. > {quote} > Also like HADOOP-7119, the same solution: > A servlet filter is configured in front of all Hadoop web consoles for > authentication. > This filter verifies if the incoming request is already authenticated by the > presence of a signed HTTP cookie. If the cookie is present, its signature is > valid and its value didn't expire; then the request continues its way to the > page invoked by the request. If the cookie is not present, it is invalid or > it expired; then the request is delegated to an authenticator handler. The > authenticator handler then is responsible for requesting/validating the > user-agent for the user credentials. This may require one or more additional > interactions between the authenticator handler and the user-agent (which will > be multiple HTTP requests). Once the authenticator handler verifies the > credentials and generates an authentication token, a signed cookie is > returned to the user-agent for all subsequent invocations. > The authenticator handler is pluggable and 2 implementations are provided out > of the box: pseudo/simple and kerberos. > 1. The pseudo/simple authenticator handler is equivalent to the Hadoop > pseudo/simple authentication. It trusts the value of the user.name query > string parameter. The pseudo/simple authenticator handler supports an > anonymous mode which accepts any request without requiring the user.name > query string parameter to create the token. This is the default behavior, > preserving the behavior of the HBase web consoles before this patch. > 2. The kerberos authenticator handler implements the Kerberos HTTP SPNEGO > implementation. This authenticator handler will generate a token only if a > successful Kerberos HTTP SPNEGO interaction is performed between the > user-agent and the authenticator. Browsers like Firefox and Internet Explorer > support Kerberos HTTP SPNEGO. > We can build on the support added to Hadoop via HADOOP-7119. Should just be a > matter of wiring up the filter to our infoservers in a similar manner. > And from > https://issues.apache.org/jira/browse/HBASE-5050?focusedCommentId=13171086=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13171086 > {quote} > Hadoop 0.23 onwards has a hadoop-auth artifact that provides SPNEGO/Kerberos > authentication for webapps via a filter. You should consider using it. You > don't have to move Hbase to 0.23 for that, just consume the hadoop-auth > artifact, which has no dependencies on the rest of Hadoop 0.23 artifacts. > {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-5291) Add Kerberos HTTP SPNEGO authentication support to HBase web consoles
[ https://issues.apache.org/jira/browse/HBASE-5291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15323359#comment-15323359 ] Josh Elser commented on HBASE-5291: --- Not sure why HadoopQA, reran .003, but whatever. The 2nd to most recent run was fine -- the last one looks like there were host-level issues on the machine. [~busbey], [~devaraj], [~apurtell], any of you fine gentlemen have a moment to give the .003 patch a glance for me? > Add Kerberos HTTP SPNEGO authentication support to HBase web consoles > - > > Key: HBASE-5291 > URL: https://issues.apache.org/jira/browse/HBASE-5291 > Project: HBase > Issue Type: Improvement > Components: master, regionserver, security >Reporter: Andrew Purtell >Assignee: Josh Elser > Fix For: 2.0.0 > > Attachments: HBASE-5291.001.patch, HBASE-5291.002.patch, > HBASE-5291.003.patch > > > Like HADOOP-7119, the same motivations: > {quote} > Hadoop RPC already supports Kerberos authentication. > {quote} > As does the HBase secure RPC engine. > {quote} > Kerberos enables single sign-on. > Popular browsers (Firefox and Internet Explorer) have support for Kerberos > HTTP SPNEGO. > Adding support for Kerberos HTTP SPNEGO to [HBase] web consoles would provide > a unified authentication mechanism and single sign-on for web UI and RPC. > {quote} > Also like HADOOP-7119, the same solution: > A servlet filter is configured in front of all Hadoop web consoles for > authentication. > This filter verifies if the incoming request is already authenticated by the > presence of a signed HTTP cookie. If the cookie is present, its signature is > valid and its value didn't expire; then the request continues its way to the > page invoked by the request. If the cookie is not present, it is invalid or > it expired; then the request is delegated to an authenticator handler. The > authenticator handler then is responsible for requesting/validating the > user-agent for the user credentials. This may require one or more additional > interactions between the authenticator handler and the user-agent (which will > be multiple HTTP requests). Once the authenticator handler verifies the > credentials and generates an authentication token, a signed cookie is > returned to the user-agent for all subsequent invocations. > The authenticator handler is pluggable and 2 implementations are provided out > of the box: pseudo/simple and kerberos. > 1. The pseudo/simple authenticator handler is equivalent to the Hadoop > pseudo/simple authentication. It trusts the value of the user.name query > string parameter. The pseudo/simple authenticator handler supports an > anonymous mode which accepts any request without requiring the user.name > query string parameter to create the token. This is the default behavior, > preserving the behavior of the HBase web consoles before this patch. > 2. The kerberos authenticator handler implements the Kerberos HTTP SPNEGO > implementation. This authenticator handler will generate a token only if a > successful Kerberos HTTP SPNEGO interaction is performed between the > user-agent and the authenticator. Browsers like Firefox and Internet Explorer > support Kerberos HTTP SPNEGO. > We can build on the support added to Hadoop via HADOOP-7119. Should just be a > matter of wiring up the filter to our infoservers in a similar manner. > And from > https://issues.apache.org/jira/browse/HBASE-5050?focusedCommentId=13171086=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13171086 > {quote} > Hadoop 0.23 onwards has a hadoop-auth artifact that provides SPNEGO/Kerberos > authentication for webapps via a filter. You should consider using it. You > don't have to move Hbase to 0.23 for that, just consume the hadoop-auth > artifact, which has no dependencies on the rest of Hadoop 0.23 artifacts. > {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-5291) Add Kerberos HTTP SPNEGO authentication support to HBase web consoles
[ https://issues.apache.org/jira/browse/HBASE-5291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15319606#comment-15319606 ] Hadoop QA commented on HBASE-5291: -- | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:green}+1{color} | {color:green} hbaseanti {color} | {color:green} 0m 0s {color} | {color:green} Patch does not have any anti-patterns. {color} | | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s {color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s {color} | {color:green} The patch appears to include 2 new or modified test files. {color} | | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 15s {color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 3m 4s {color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 3m 3s {color} | {color:green} master passed with JDK v1.8.0 {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 2m 57s {color} | {color:green} master passed with JDK v1.7.0_79 {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 1m 51s {color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 1m 15s {color} | {color:green} master passed {color} | | {color:blue}0{color} | {color:blue} findbugs {color} | {color:blue} 0m 0s {color} | {color:blue} Skipped branch modules with no Java source: . {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 1m 53s {color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 2m 48s {color} | {color:green} master passed with JDK v1.8.0 {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 2m 52s {color} | {color:green} master passed with JDK v1.7.0_79 {color} | | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 12s {color} | {color:blue} Maven dependency ordering for patch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 3m 35s {color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 3m 17s {color} | {color:green} the patch passed with JDK v1.8.0 {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 3m 17s {color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 3m 13s {color} | {color:green} the patch passed with JDK v1.7.0_79 {color} | | {color:red}-1{color} | {color:red} javac {color} | {color:red} 10m 17s {color} | {color:red} hbase-server-jdk1.7.0_79 with JDK v1.7.0_79 generated 2 new + 4 unchanged - 2 fixed = 6 total (was 6) {color} | | {color:red}-1{color} | {color:red} javac {color} | {color:red} 10m 17s {color} | {color:red} root-jdk1.7.0_79 with JDK v1.7.0_79 generated 2 new + 36 unchanged - 2 fixed = 38 total (was 38) {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 3m 13s {color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 1m 52s {color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 1m 16s {color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s {color} | {color:green} Patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} xml {color} | {color:green} 0m 1s {color} | {color:green} The patch has no ill-formed XML file. {color} | | {color:green}+1{color} | {color:green} hadoopcheck {color} | {color:green} 26m 24s {color} | {color:green} Patch does not cause any errors with Hadoop 2.4.0 2.4.1 2.5.0 2.5.1 2.5.2 2.6.1 2.6.2 2.6.3 2.7.1. {color} | | {color:blue}0{color} | {color:blue} findbugs {color} | {color:blue} 0m 0s {color} | {color:blue} Skipped patch modules with no Java source: . {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 2m 15s {color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 3m 12s {color} | {color:green} the patch passed with JDK v1.8.0 {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 2m 55s {color} | {color:green} the patch passed with JDK v1.7.0_79 {color} | | {color:red}-1{color} | {color:red} unit {color} | {color:red} 54m 6s {color} | {color:red} hbase-server in the patch failed. {color} | |
[jira] [Commented] (HBASE-5291) Add Kerberos HTTP SPNEGO authentication support to HBase web consoles
[ https://issues.apache.org/jira/browse/HBASE-5291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15319449#comment-15319449 ] Josh Elser commented on HBASE-5291: --- Ok, did one final local test with these changes. I think this is ready to go. Anyone have a moment to give a review? Once we're happy with the current patch, I can work on a backport for 1.3.0 and 0.98 (avoiding confusion around including in the maint releases) > Add Kerberos HTTP SPNEGO authentication support to HBase web consoles > - > > Key: HBASE-5291 > URL: https://issues.apache.org/jira/browse/HBASE-5291 > Project: HBase > Issue Type: Improvement > Components: master, regionserver, security >Reporter: Andrew Purtell >Assignee: Josh Elser > Fix For: 2.0.0 > > Attachments: HBASE-5291.001.patch, HBASE-5291.002.patch, > HBASE-5291.003.patch > > > Like HADOOP-7119, the same motivations: > {quote} > Hadoop RPC already supports Kerberos authentication. > {quote} > As does the HBase secure RPC engine. > {quote} > Kerberos enables single sign-on. > Popular browsers (Firefox and Internet Explorer) have support for Kerberos > HTTP SPNEGO. > Adding support for Kerberos HTTP SPNEGO to [HBase] web consoles would provide > a unified authentication mechanism and single sign-on for web UI and RPC. > {quote} > Also like HADOOP-7119, the same solution: > A servlet filter is configured in front of all Hadoop web consoles for > authentication. > This filter verifies if the incoming request is already authenticated by the > presence of a signed HTTP cookie. If the cookie is present, its signature is > valid and its value didn't expire; then the request continues its way to the > page invoked by the request. If the cookie is not present, it is invalid or > it expired; then the request is delegated to an authenticator handler. The > authenticator handler then is responsible for requesting/validating the > user-agent for the user credentials. This may require one or more additional > interactions between the authenticator handler and the user-agent (which will > be multiple HTTP requests). Once the authenticator handler verifies the > credentials and generates an authentication token, a signed cookie is > returned to the user-agent for all subsequent invocations. > The authenticator handler is pluggable and 2 implementations are provided out > of the box: pseudo/simple and kerberos. > 1. The pseudo/simple authenticator handler is equivalent to the Hadoop > pseudo/simple authentication. It trusts the value of the user.name query > string parameter. The pseudo/simple authenticator handler supports an > anonymous mode which accepts any request without requiring the user.name > query string parameter to create the token. This is the default behavior, > preserving the behavior of the HBase web consoles before this patch. > 2. The kerberos authenticator handler implements the Kerberos HTTP SPNEGO > implementation. This authenticator handler will generate a token only if a > successful Kerberos HTTP SPNEGO interaction is performed between the > user-agent and the authenticator. Browsers like Firefox and Internet Explorer > support Kerberos HTTP SPNEGO. > We can build on the support added to Hadoop via HADOOP-7119. Should just be a > matter of wiring up the filter to our infoservers in a similar manner. > And from > https://issues.apache.org/jira/browse/HBASE-5050?focusedCommentId=13171086=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13171086 > {quote} > Hadoop 0.23 onwards has a hadoop-auth artifact that provides SPNEGO/Kerberos > authentication for webapps via a filter. You should consider using it. You > don't have to move Hbase to 0.23 for that, just consume the hadoop-auth > artifact, which has no dependencies on the rest of Hadoop 0.23 artifacts. > {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-5291) Add Kerberos HTTP SPNEGO authentication support to HBase web consoles
[ https://issues.apache.org/jira/browse/HBASE-5291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15319375#comment-15319375 ] Hadoop QA commented on HBASE-5291: -- | (/) *{color:green}+1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:green}+1{color} | {color:green} hbaseanti {color} | {color:green} 0m 0s {color} | {color:green} Patch does not have any anti-patterns. {color} | | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s {color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s {color} | {color:green} The patch appears to include 2 new or modified test files. {color} | | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 15s {color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 3m 21s {color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 3m 48s {color} | {color:green} master passed with JDK v1.8.0 {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 3m 2s {color} | {color:green} master passed with JDK v1.7.0_79 {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 1m 47s {color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 1m 18s {color} | {color:green} master passed {color} | | {color:blue}0{color} | {color:blue} findbugs {color} | {color:blue} 0m 0s {color} | {color:blue} Skipped branch modules with no Java source: . {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 1m 56s {color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 2m 54s {color} | {color:green} master passed with JDK v1.8.0 {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 2m 51s {color} | {color:green} master passed with JDK v1.7.0_79 {color} | | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 14s {color} | {color:blue} Maven dependency ordering for patch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 3m 33s {color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 3m 4s {color} | {color:green} the patch passed with JDK v1.8.0 {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 3m 4s {color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 2m 58s {color} | {color:green} the patch passed with JDK v1.7.0_79 {color} | | {color:red}-1{color} | {color:red} javac {color} | {color:red} 9m 50s {color} | {color:red} hbase-server-jdk1.7.0_79 with JDK v1.7.0_79 generated 2 new + 4 unchanged - 2 fixed = 6 total (was 6) {color} | | {color:red}-1{color} | {color:red} javac {color} | {color:red} 9m 50s {color} | {color:red} root-jdk1.7.0_79 with JDK v1.7.0_79 generated 2 new + 36 unchanged - 2 fixed = 38 total (was 38) {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 2m 58s {color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 1m 53s {color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 1m 21s {color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s {color} | {color:green} Patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} xml {color} | {color:green} 0m 1s {color} | {color:green} The patch has no ill-formed XML file. {color} | | {color:green}+1{color} | {color:green} hadoopcheck {color} | {color:green} 27m 6s {color} | {color:green} Patch does not cause any errors with Hadoop 2.4.0 2.4.1 2.5.0 2.5.1 2.5.2 2.6.1 2.6.2 2.6.3 2.7.1. {color} | | {color:blue}0{color} | {color:blue} findbugs {color} | {color:blue} 0m 0s {color} | {color:blue} Skipped patch modules with no Java source: . {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 2m 12s {color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 2m 49s {color} | {color:green} the patch passed with JDK v1.8.0 {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 2m 52s {color} | {color:green} the patch passed with JDK v1.7.0_79 {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 86m 12s {color} | {color:green} hbase-server in the patch passed. {color} | |
[jira] [Commented] (HBASE-5291) Add Kerberos HTTP SPNEGO authentication support to HBase web consoles
[ https://issues.apache.org/jira/browse/HBASE-5291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15318083#comment-15318083 ] Hadoop QA commented on HBASE-5291: -- | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:green}+1{color} | {color:green} hbaseanti {color} | {color:green} 0m 0s {color} | {color:green} Patch does not have any anti-patterns. {color} | | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s {color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s {color} | {color:green} The patch appears to include 2 new or modified test files. {color} | | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 16s {color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 3m 12s {color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 3m 29s {color} | {color:green} master passed with JDK v1.8.0 {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 3m 1s {color} | {color:green} master passed with JDK v1.7.0_79 {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 1m 45s {color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 1m 17s {color} | {color:green} master passed {color} | | {color:blue}0{color} | {color:blue} findbugs {color} | {color:blue} 0m 0s {color} | {color:blue} Skipped branch modules with no Java source: . {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 1m 58s {color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 3m 3s {color} | {color:green} master passed with JDK v1.8.0 {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 2m 59s {color} | {color:green} master passed with JDK v1.7.0_79 {color} | | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 12s {color} | {color:blue} Maven dependency ordering for patch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 3m 36s {color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 3m 25s {color} | {color:green} the patch passed with JDK v1.8.0 {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 3m 25s {color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 3m 0s {color} | {color:green} the patch passed with JDK v1.7.0_79 {color} | | {color:red}-1{color} | {color:red} javac {color} | {color:red} 10m 13s {color} | {color:red} hbase-server-jdk1.7.0_79 with JDK v1.7.0_79 generated 2 new + 4 unchanged - 2 fixed = 6 total (was 6) {color} | | {color:red}-1{color} | {color:red} javac {color} | {color:red} 10m 13s {color} | {color:red} root-jdk1.7.0_79 with JDK v1.7.0_79 generated 2 new + 36 unchanged - 2 fixed = 38 total (was 38) {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 3m 0s {color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 1m 50s {color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 1m 17s {color} | {color:green} the patch passed {color} | | {color:red}-1{color} | {color:red} whitespace {color} | {color:red} 0m 0s {color} | {color:red} The patch has 4 line(s) that end in whitespace. Use git apply --whitespace=fix. {color} | | {color:green}+1{color} | {color:green} xml {color} | {color:green} 0m 1s {color} | {color:green} The patch has no ill-formed XML file. {color} | | {color:green}+1{color} | {color:green} hadoopcheck {color} | {color:green} 26m 8s {color} | {color:green} Patch does not cause any errors with Hadoop 2.4.0 2.4.1 2.5.0 2.5.1 2.5.2 2.6.1 2.6.2 2.6.3 2.7.1. {color} | | {color:blue}0{color} | {color:blue} findbugs {color} | {color:blue} 0m 0s {color} | {color:blue} Skipped patch modules with no Java source: . {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 2m 9s {color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 3m 8s {color} | {color:green} the patch passed with JDK v1.8.0 {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 2m 54s {color} | {color:green} the patch passed with JDK v1.7.0_79 {color} | | {color:red}-1{color} | {color:red} unit {color} | {color:red} 94m 58s {color} | {color:red} hbase-server in
[jira] [Commented] (HBASE-5291) Add Kerberos HTTP SPNEGO authentication support to HBase web consoles
[ https://issues.apache.org/jira/browse/HBASE-5291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15270927#comment-15270927 ] Josh Elser commented on HBASE-5291: --- bq. You didn't do too much work if you also want this to end up in 0.98 Heh, good point. That's definitely on my radar. Will get the "newer" branches sorted out first and then will get something up for 0.98 too > Add Kerberos HTTP SPNEGO authentication support to HBase web consoles > - > > Key: HBASE-5291 > URL: https://issues.apache.org/jira/browse/HBASE-5291 > Project: HBase > Issue Type: Improvement > Components: master, regionserver, security >Reporter: Andrew Purtell >Assignee: Josh Elser > Fix For: 2.0.0 > > Attachments: HBASE-5291.001.patch > > > Like HADOOP-7119, the same motivations: > {quote} > Hadoop RPC already supports Kerberos authentication. > {quote} > As does the HBase secure RPC engine. > {quote} > Kerberos enables single sign-on. > Popular browsers (Firefox and Internet Explorer) have support for Kerberos > HTTP SPNEGO. > Adding support for Kerberos HTTP SPNEGO to [HBase] web consoles would provide > a unified authentication mechanism and single sign-on for web UI and RPC. > {quote} > Also like HADOOP-7119, the same solution: > A servlet filter is configured in front of all Hadoop web consoles for > authentication. > This filter verifies if the incoming request is already authenticated by the > presence of a signed HTTP cookie. If the cookie is present, its signature is > valid and its value didn't expire; then the request continues its way to the > page invoked by the request. If the cookie is not present, it is invalid or > it expired; then the request is delegated to an authenticator handler. The > authenticator handler then is responsible for requesting/validating the > user-agent for the user credentials. This may require one or more additional > interactions between the authenticator handler and the user-agent (which will > be multiple HTTP requests). Once the authenticator handler verifies the > credentials and generates an authentication token, a signed cookie is > returned to the user-agent for all subsequent invocations. > The authenticator handler is pluggable and 2 implementations are provided out > of the box: pseudo/simple and kerberos. > 1. The pseudo/simple authenticator handler is equivalent to the Hadoop > pseudo/simple authentication. It trusts the value of the user.name query > string parameter. The pseudo/simple authenticator handler supports an > anonymous mode which accepts any request without requiring the user.name > query string parameter to create the token. This is the default behavior, > preserving the behavior of the HBase web consoles before this patch. > 2. The kerberos authenticator handler implements the Kerberos HTTP SPNEGO > implementation. This authenticator handler will generate a token only if a > successful Kerberos HTTP SPNEGO interaction is performed between the > user-agent and the authenticator. Browsers like Firefox and Internet Explorer > support Kerberos HTTP SPNEGO. > We can build on the support added to Hadoop via HADOOP-7119. Should just be a > matter of wiring up the filter to our infoservers in a similar manner. > And from > https://issues.apache.org/jira/browse/HBASE-5050?focusedCommentId=13171086=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13171086 > {quote} > Hadoop 0.23 onwards has a hadoop-auth artifact that provides SPNEGO/Kerberos > authentication for webapps via a filter. You should consider using it. You > don't have to move Hbase to 0.23 for that, just consume the hadoop-auth > artifact, which has no dependencies on the rest of Hadoop 0.23 artifacts. > {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-5291) Add Kerberos HTTP SPNEGO authentication support to HBase web consoles
[ https://issues.apache.org/jira/browse/HBASE-5291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15270882#comment-15270882 ] Andrew Purtell commented on HBASE-5291: --- You didn't do too much work if you also want this to end up in 0.98. We don't have HBASE-10336 before 1.0 > Add Kerberos HTTP SPNEGO authentication support to HBase web consoles > - > > Key: HBASE-5291 > URL: https://issues.apache.org/jira/browse/HBASE-5291 > Project: HBase > Issue Type: Improvement > Components: master, regionserver, security >Reporter: Andrew Purtell >Assignee: Josh Elser > Fix For: 2.0.0 > > Attachments: HBASE-5291.001.patch > > > Like HADOOP-7119, the same motivations: > {quote} > Hadoop RPC already supports Kerberos authentication. > {quote} > As does the HBase secure RPC engine. > {quote} > Kerberos enables single sign-on. > Popular browsers (Firefox and Internet Explorer) have support for Kerberos > HTTP SPNEGO. > Adding support for Kerberos HTTP SPNEGO to [HBase] web consoles would provide > a unified authentication mechanism and single sign-on for web UI and RPC. > {quote} > Also like HADOOP-7119, the same solution: > A servlet filter is configured in front of all Hadoop web consoles for > authentication. > This filter verifies if the incoming request is already authenticated by the > presence of a signed HTTP cookie. If the cookie is present, its signature is > valid and its value didn't expire; then the request continues its way to the > page invoked by the request. If the cookie is not present, it is invalid or > it expired; then the request is delegated to an authenticator handler. The > authenticator handler then is responsible for requesting/validating the > user-agent for the user credentials. This may require one or more additional > interactions between the authenticator handler and the user-agent (which will > be multiple HTTP requests). Once the authenticator handler verifies the > credentials and generates an authentication token, a signed cookie is > returned to the user-agent for all subsequent invocations. > The authenticator handler is pluggable and 2 implementations are provided out > of the box: pseudo/simple and kerberos. > 1. The pseudo/simple authenticator handler is equivalent to the Hadoop > pseudo/simple authentication. It trusts the value of the user.name query > string parameter. The pseudo/simple authenticator handler supports an > anonymous mode which accepts any request without requiring the user.name > query string parameter to create the token. This is the default behavior, > preserving the behavior of the HBase web consoles before this patch. > 2. The kerberos authenticator handler implements the Kerberos HTTP SPNEGO > implementation. This authenticator handler will generate a token only if a > successful Kerberos HTTP SPNEGO interaction is performed between the > user-agent and the authenticator. Browsers like Firefox and Internet Explorer > support Kerberos HTTP SPNEGO. > We can build on the support added to Hadoop via HADOOP-7119. Should just be a > matter of wiring up the filter to our infoservers in a similar manner. > And from > https://issues.apache.org/jira/browse/HBASE-5050?focusedCommentId=13171086=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13171086 > {quote} > Hadoop 0.23 onwards has a hadoop-auth artifact that provides SPNEGO/Kerberos > authentication for webapps via a filter. You should consider using it. You > don't have to move Hbase to 0.23 for that, just consume the hadoop-auth > artifact, which has no dependencies on the rest of Hadoop 0.23 artifacts. > {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-5291) Add Kerberos HTTP SPNEGO authentication support to HBase web consoles
[ https://issues.apache.org/jira/browse/HBASE-5291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15270780#comment-15270780 ] Josh Elser commented on HBASE-5291: --- HBASE-10336 is the changeset which actually introduced the implementation (but never wired it up). > Add Kerberos HTTP SPNEGO authentication support to HBase web consoles > - > > Key: HBASE-5291 > URL: https://issues.apache.org/jira/browse/HBASE-5291 > Project: HBase > Issue Type: Improvement > Components: master, regionserver, security >Reporter: Andrew Purtell >Assignee: Josh Elser > Fix For: 2.0.0 > > Attachments: HBASE-5291.001.patch > > > Like HADOOP-7119, the same motivations: > {quote} > Hadoop RPC already supports Kerberos authentication. > {quote} > As does the HBase secure RPC engine. > {quote} > Kerberos enables single sign-on. > Popular browsers (Firefox and Internet Explorer) have support for Kerberos > HTTP SPNEGO. > Adding support for Kerberos HTTP SPNEGO to [HBase] web consoles would provide > a unified authentication mechanism and single sign-on for web UI and RPC. > {quote} > Also like HADOOP-7119, the same solution: > A servlet filter is configured in front of all Hadoop web consoles for > authentication. > This filter verifies if the incoming request is already authenticated by the > presence of a signed HTTP cookie. If the cookie is present, its signature is > valid and its value didn't expire; then the request continues its way to the > page invoked by the request. If the cookie is not present, it is invalid or > it expired; then the request is delegated to an authenticator handler. The > authenticator handler then is responsible for requesting/validating the > user-agent for the user credentials. This may require one or more additional > interactions between the authenticator handler and the user-agent (which will > be multiple HTTP requests). Once the authenticator handler verifies the > credentials and generates an authentication token, a signed cookie is > returned to the user-agent for all subsequent invocations. > The authenticator handler is pluggable and 2 implementations are provided out > of the box: pseudo/simple and kerberos. > 1. The pseudo/simple authenticator handler is equivalent to the Hadoop > pseudo/simple authentication. It trusts the value of the user.name query > string parameter. The pseudo/simple authenticator handler supports an > anonymous mode which accepts any request without requiring the user.name > query string parameter to create the token. This is the default behavior, > preserving the behavior of the HBase web consoles before this patch. > 2. The kerberos authenticator handler implements the Kerberos HTTP SPNEGO > implementation. This authenticator handler will generate a token only if a > successful Kerberos HTTP SPNEGO interaction is performed between the > user-agent and the authenticator. Browsers like Firefox and Internet Explorer > support Kerberos HTTP SPNEGO. > We can build on the support added to Hadoop via HADOOP-7119. Should just be a > matter of wiring up the filter to our infoservers in a similar manner. > And from > https://issues.apache.org/jira/browse/HBASE-5050?focusedCommentId=13171086=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13171086 > {quote} > Hadoop 0.23 onwards has a hadoop-auth artifact that provides SPNEGO/Kerberos > authentication for webapps via a filter. You should consider using it. You > don't have to move Hbase to 0.23 for that, just consume the hadoop-auth > artifact, which has no dependencies on the rest of Hadoop 0.23 artifacts. > {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-5291) Add Kerberos HTTP SPNEGO authentication support to HBase web consoles
[ https://issues.apache.org/jira/browse/HBASE-5291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15270775#comment-15270775 ] Josh Elser commented on HBASE-5291: --- Oh what the heck. I just found that there was some wiring already done for HttpServer and the AuthenticationFilter from Hadoop (to enable SPNEGO). Apparently, I did too much work. Will have to consolidate stuff. > Add Kerberos HTTP SPNEGO authentication support to HBase web consoles > - > > Key: HBASE-5291 > URL: https://issues.apache.org/jira/browse/HBASE-5291 > Project: HBase > Issue Type: Improvement > Components: master, regionserver, security >Reporter: Andrew Purtell >Assignee: Josh Elser > Fix For: 2.0.0 > > Attachments: HBASE-5291.001.patch > > > Like HADOOP-7119, the same motivations: > {quote} > Hadoop RPC already supports Kerberos authentication. > {quote} > As does the HBase secure RPC engine. > {quote} > Kerberos enables single sign-on. > Popular browsers (Firefox and Internet Explorer) have support for Kerberos > HTTP SPNEGO. > Adding support for Kerberos HTTP SPNEGO to [HBase] web consoles would provide > a unified authentication mechanism and single sign-on for web UI and RPC. > {quote} > Also like HADOOP-7119, the same solution: > A servlet filter is configured in front of all Hadoop web consoles for > authentication. > This filter verifies if the incoming request is already authenticated by the > presence of a signed HTTP cookie. If the cookie is present, its signature is > valid and its value didn't expire; then the request continues its way to the > page invoked by the request. If the cookie is not present, it is invalid or > it expired; then the request is delegated to an authenticator handler. The > authenticator handler then is responsible for requesting/validating the > user-agent for the user credentials. This may require one or more additional > interactions between the authenticator handler and the user-agent (which will > be multiple HTTP requests). Once the authenticator handler verifies the > credentials and generates an authentication token, a signed cookie is > returned to the user-agent for all subsequent invocations. > The authenticator handler is pluggable and 2 implementations are provided out > of the box: pseudo/simple and kerberos. > 1. The pseudo/simple authenticator handler is equivalent to the Hadoop > pseudo/simple authentication. It trusts the value of the user.name query > string parameter. The pseudo/simple authenticator handler supports an > anonymous mode which accepts any request without requiring the user.name > query string parameter to create the token. This is the default behavior, > preserving the behavior of the HBase web consoles before this patch. > 2. The kerberos authenticator handler implements the Kerberos HTTP SPNEGO > implementation. This authenticator handler will generate a token only if a > successful Kerberos HTTP SPNEGO interaction is performed between the > user-agent and the authenticator. Browsers like Firefox and Internet Explorer > support Kerberos HTTP SPNEGO. > We can build on the support added to Hadoop via HADOOP-7119. Should just be a > matter of wiring up the filter to our infoservers in a similar manner. > And from > https://issues.apache.org/jira/browse/HBASE-5050?focusedCommentId=13171086=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13171086 > {quote} > Hadoop 0.23 onwards has a hadoop-auth artifact that provides SPNEGO/Kerberos > authentication for webapps via a filter. You should consider using it. You > don't have to move Hbase to 0.23 for that, just consume the hadoop-auth > artifact, which has no dependencies on the rest of Hadoop 0.23 artifacts. > {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-5291) Add Kerberos HTTP SPNEGO authentication support to HBase web consoles
[ https://issues.apache.org/jira/browse/HBASE-5291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15270234#comment-15270234 ] Hadoop QA commented on HBASE-5291: -- | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:green}+1{color} | {color:green} hbaseanti {color} | {color:green} 0m 0s {color} | {color:green} Patch does not have any anti-patterns. {color} | | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s {color} | {color:green} The patch does not contain any @author tags. {color} | | {color:red}-1{color} | {color:red} test4tests {color} | {color:red} 0m 0s {color} | {color:red} The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. {color} | | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 46s {color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 4m 28s {color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 5m 26s {color} | {color:green} master passed with JDK v1.8.0 {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 4m 3s {color} | {color:green} master passed with JDK v1.7.0_79 {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 9m 23s {color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 1m 33s {color} | {color:green} master passed {color} | | {color:blue}0{color} | {color:blue} findbugs {color} | {color:blue} 0m 0s {color} | {color:blue} Skipped branch modules with no Java source: . {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 2m 29s {color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 4m 47s {color} | {color:green} master passed with JDK v1.8.0 {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 4m 2s {color} | {color:green} master passed with JDK v1.7.0_79 {color} | | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 11s {color} | {color:blue} Maven dependency ordering for patch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 5m 5s {color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 5m 54s {color} | {color:green} the patch passed with JDK v1.8.0 {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 5m 54s {color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 4m 5s {color} | {color:green} the patch passed with JDK v1.7.0_79 {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 4m 5s {color} | {color:green} the patch passed {color} | | {color:red}-1{color} | {color:red} checkstyle {color} | {color:red} 4m 57s {color} | {color:red} hbase-server: patch generated 2 new + 46 unchanged - 0 fixed = 48 total (was 46) {color} | | {color:red}-1{color} | {color:red} checkstyle {color} | {color:red} 4m 28s {color} | {color:red} root: patch generated 2 new + 46 unchanged - 0 fixed = 48 total (was 46) {color} | | {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 1m 39s {color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s {color} | {color:green} Patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} hadoopcheck {color} | {color:green} 9m 22s {color} | {color:green} Patch does not cause any errors with Hadoop 2.4.1 2.5.2 2.6.0. {color} | | {color:blue}0{color} | {color:blue} findbugs {color} | {color:blue} 0m 0s {color} | {color:blue} Skipped patch modules with no Java source: . {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 2m 49s {color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 4m 42s {color} | {color:green} the patch passed with JDK v1.8.0 {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 7m 11s {color} | {color:green} the patch passed with JDK v1.7.0_79 {color} | | {color:red}-1{color} | {color:red} unit {color} | {color:red} 106m 12s {color} | {color:red} hbase-server in the patch failed. {color} | | {color:red}-1{color} | {color:red} unit {color} | {color:red} 146m 55s {color} | {color:red} root in the patch failed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 33s {color} | {color:green}
[jira] [Commented] (HBASE-5291) Add Kerberos HTTP SPNEGO authentication support to HBase web consoles
[ https://issues.apache.org/jira/browse/HBASE-5291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15269718#comment-15269718 ] Josh Elser commented on HBASE-5291: --- Let me knock this one out. > Add Kerberos HTTP SPNEGO authentication support to HBase web consoles > - > > Key: HBASE-5291 > URL: https://issues.apache.org/jira/browse/HBASE-5291 > Project: HBase > Issue Type: Improvement > Components: master, regionserver, security >Reporter: Andrew Purtell >Assignee: Josh Elser > > Like HADOOP-7119, the same motivations: > {quote} > Hadoop RPC already supports Kerberos authentication. > {quote} > As does the HBase secure RPC engine. > {quote} > Kerberos enables single sign-on. > Popular browsers (Firefox and Internet Explorer) have support for Kerberos > HTTP SPNEGO. > Adding support for Kerberos HTTP SPNEGO to [HBase] web consoles would provide > a unified authentication mechanism and single sign-on for web UI and RPC. > {quote} > Also like HADOOP-7119, the same solution: > A servlet filter is configured in front of all Hadoop web consoles for > authentication. > This filter verifies if the incoming request is already authenticated by the > presence of a signed HTTP cookie. If the cookie is present, its signature is > valid and its value didn't expire; then the request continues its way to the > page invoked by the request. If the cookie is not present, it is invalid or > it expired; then the request is delegated to an authenticator handler. The > authenticator handler then is responsible for requesting/validating the > user-agent for the user credentials. This may require one or more additional > interactions between the authenticator handler and the user-agent (which will > be multiple HTTP requests). Once the authenticator handler verifies the > credentials and generates an authentication token, a signed cookie is > returned to the user-agent for all subsequent invocations. > The authenticator handler is pluggable and 2 implementations are provided out > of the box: pseudo/simple and kerberos. > 1. The pseudo/simple authenticator handler is equivalent to the Hadoop > pseudo/simple authentication. It trusts the value of the user.name query > string parameter. The pseudo/simple authenticator handler supports an > anonymous mode which accepts any request without requiring the user.name > query string parameter to create the token. This is the default behavior, > preserving the behavior of the HBase web consoles before this patch. > 2. The kerberos authenticator handler implements the Kerberos HTTP SPNEGO > implementation. This authenticator handler will generate a token only if a > successful Kerberos HTTP SPNEGO interaction is performed between the > user-agent and the authenticator. Browsers like Firefox and Internet Explorer > support Kerberos HTTP SPNEGO. > We can build on the support added to Hadoop via HADOOP-7119. Should just be a > matter of wiring up the filter to our infoservers in a similar manner. > And from > https://issues.apache.org/jira/browse/HBASE-5050?focusedCommentId=13171086=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13171086 > {quote} > Hadoop 0.23 onwards has a hadoop-auth artifact that provides SPNEGO/Kerberos > authentication for webapps via a filter. You should consider using it. You > don't have to move Hbase to 0.23 for that, just consume the hadoop-auth > artifact, which has no dependencies on the rest of Hadoop 0.23 artifacts. > {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-5291) Add Kerberos HTTP SPNEGO authentication support to HBase web consoles
[ https://issues.apache.org/jira/browse/HBASE-5291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13450394#comment-13450394 ] stack commented on HBASE-5291: -- Gopinathan, go for it. Want me to assign you this issue? Add Kerberos HTTP SPNEGO authentication support to HBase web consoles - Key: HBASE-5291 URL: https://issues.apache.org/jira/browse/HBASE-5291 Project: HBase Issue Type: Improvement Components: master, regionserver, security Reporter: Andrew Purtell Like HADOOP-7119, the same motivations: {quote} Hadoop RPC already supports Kerberos authentication. {quote} As does the HBase secure RPC engine. {quote} Kerberos enables single sign-on. Popular browsers (Firefox and Internet Explorer) have support for Kerberos HTTP SPNEGO. Adding support for Kerberos HTTP SPNEGO to [HBase] web consoles would provide a unified authentication mechanism and single sign-on for web UI and RPC. {quote} Also like HADOOP-7119, the same solution: A servlet filter is configured in front of all Hadoop web consoles for authentication. This filter verifies if the incoming request is already authenticated by the presence of a signed HTTP cookie. If the cookie is present, its signature is valid and its value didn't expire; then the request continues its way to the page invoked by the request. If the cookie is not present, it is invalid or it expired; then the request is delegated to an authenticator handler. The authenticator handler then is responsible for requesting/validating the user-agent for the user credentials. This may require one or more additional interactions between the authenticator handler and the user-agent (which will be multiple HTTP requests). Once the authenticator handler verifies the credentials and generates an authentication token, a signed cookie is returned to the user-agent for all subsequent invocations. The authenticator handler is pluggable and 2 implementations are provided out of the box: pseudo/simple and kerberos. 1. The pseudo/simple authenticator handler is equivalent to the Hadoop pseudo/simple authentication. It trusts the value of the user.name query string parameter. The pseudo/simple authenticator handler supports an anonymous mode which accepts any request without requiring the user.name query string parameter to create the token. This is the default behavior, preserving the behavior of the HBase web consoles before this patch. 2. The kerberos authenticator handler implements the Kerberos HTTP SPNEGO implementation. This authenticator handler will generate a token only if a successful Kerberos HTTP SPNEGO interaction is performed between the user-agent and the authenticator. Browsers like Firefox and Internet Explorer support Kerberos HTTP SPNEGO. We can build on the support added to Hadoop via HADOOP-7119. Should just be a matter of wiring up the filter to our infoservers in a similar manner. And from https://issues.apache.org/jira/browse/HBASE-5050?focusedCommentId=13171086page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13171086 {quote} Hadoop 0.23 onwards has a hadoop-auth artifact that provides SPNEGO/Kerberos authentication for webapps via a filter. You should consider using it. You don't have to move Hbase to 0.23 for that, just consume the hadoop-auth artifact, which has no dependencies on the rest of Hadoop 0.23 artifacts. {quote} -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-5291) Add Kerberos HTTP SPNEGO authentication support to HBase web consoles
[ https://issues.apache.org/jira/browse/HBASE-5291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13447519#comment-13447519 ] Gopinathan A commented on HBASE-5291: - @Andrew: I am interested to work on this issue. Add Kerberos HTTP SPNEGO authentication support to HBase web consoles - Key: HBASE-5291 URL: https://issues.apache.org/jira/browse/HBASE-5291 Project: HBase Issue Type: Improvement Components: master, regionserver, security Reporter: Andrew Purtell Like HADOOP-7119, the same motivations: {quote} Hadoop RPC already supports Kerberos authentication. {quote} As does the HBase secure RPC engine. {quote} Kerberos enables single sign-on. Popular browsers (Firefox and Internet Explorer) have support for Kerberos HTTP SPNEGO. Adding support for Kerberos HTTP SPNEGO to [HBase] web consoles would provide a unified authentication mechanism and single sign-on for web UI and RPC. {quote} Also like HADOOP-7119, the same solution: A servlet filter is configured in front of all Hadoop web consoles for authentication. This filter verifies if the incoming request is already authenticated by the presence of a signed HTTP cookie. If the cookie is present, its signature is valid and its value didn't expire; then the request continues its way to the page invoked by the request. If the cookie is not present, it is invalid or it expired; then the request is delegated to an authenticator handler. The authenticator handler then is responsible for requesting/validating the user-agent for the user credentials. This may require one or more additional interactions between the authenticator handler and the user-agent (which will be multiple HTTP requests). Once the authenticator handler verifies the credentials and generates an authentication token, a signed cookie is returned to the user-agent for all subsequent invocations. The authenticator handler is pluggable and 2 implementations are provided out of the box: pseudo/simple and kerberos. 1. The pseudo/simple authenticator handler is equivalent to the Hadoop pseudo/simple authentication. It trusts the value of the user.name query string parameter. The pseudo/simple authenticator handler supports an anonymous mode which accepts any request without requiring the user.name query string parameter to create the token. This is the default behavior, preserving the behavior of the HBase web consoles before this patch. 2. The kerberos authenticator handler implements the Kerberos HTTP SPNEGO implementation. This authenticator handler will generate a token only if a successful Kerberos HTTP SPNEGO interaction is performed between the user-agent and the authenticator. Browsers like Firefox and Internet Explorer support Kerberos HTTP SPNEGO. We can build on the support added to Hadoop via HADOOP-7119. Should just be a matter of wiring up the filter to our infoservers in a similar manner. And from https://issues.apache.org/jira/browse/HBASE-5050?focusedCommentId=13171086page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13171086 {quote} Hadoop 0.23 onwards has a hadoop-auth artifact that provides SPNEGO/Kerberos authentication for webapps via a filter. You should consider using it. You don't have to move Hbase to 0.23 for that, just consume the hadoop-auth artifact, which has no dependencies on the rest of Hadoop 0.23 artifacts. {quote} -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-5291) Add Kerberos HTTP SPNEGO authentication support to HBase web consoles
[ https://issues.apache.org/jira/browse/HBASE-5291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13194317#comment-13194317 ] Alejandro Abdelnur commented on HBASE-5291: --- You could copycat hadoop-httpfs AuthFilter (this would enable reading the security related config from hbase config files) Add Kerberos HTTP SPNEGO authentication support to HBase web consoles - Key: HBASE-5291 URL: https://issues.apache.org/jira/browse/HBASE-5291 Project: HBase Issue Type: Improvement Components: master, regionserver, security Reporter: Andrew Purtell Like HADOOP-7119, the same motivations: {quote} Hadoop RPC already supports Kerberos authentication. {quote} As does the HBase secure RPC engine. {quote} Kerberos enables single sign-on. Popular browsers (Firefox and Internet Explorer) have support for Kerberos HTTP SPNEGO. Adding support for Kerberos HTTP SPNEGO to [HBase] web consoles would provide a unified authentication mechanism and single sign-on for web UI and RPC. {quote} Also like HADOOP-7119, the same solution: A servlet filter is configured in front of all Hadoop web consoles for authentication. This filter verifies if the incoming request is already authenticated by the presence of a signed HTTP cookie. If the cookie is present, its signature is valid and its value didn't expire; then the request continues its way to the page invoked by the request. If the cookie is not present, it is invalid or it expired; then the request is delegated to an authenticator handler. The authenticator handler then is responsible for requesting/validating the user-agent for the user credentials. This may require one or more additional interactions between the authenticator handler and the user-agent (which will be multiple HTTP requests). Once the authenticator handler verifies the credentials and generates an authentication token, a signed cookie is returned to the user-agent for all subsequent invocations. The authenticator handler is pluggable and 2 implementations are provided out of the box: pseudo/simple and kerberos. 1. The pseudo/simple authenticator handler is equivalent to the Hadoop pseudo/simple authentication. It trusts the value of the user.name query string parameter. The pseudo/simple authenticator handler supports an anonymous mode which accepts any request without requiring the user.name query string parameter to create the token. This is the default behavior, preserving the behavior of the HBase web consoles before this patch. 2. The kerberos authenticator handler implements the Kerberos HTTP SPNEGO implementation. This authenticator handler will generate a token only if a successful Kerberos HTTP SPNEGO interaction is performed between the user-agent and the authenticator. Browsers like Firefox and Internet Explorer support Kerberos HTTP SPNEGO. We can build on the support added to Hadoop via HADOOP-7119. Should just be a matter of wiring up the filter to our infoservers in a similar manner. And from https://issues.apache.org/jira/browse/HBASE-5050?focusedCommentId=13171086page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13171086 {quote} Hadoop 0.23 onwards has a hadoop-auth artifact that provides SPNEGO/Kerberos authentication for webapps via a filter. You should consider using it. You don't have to move Hbase to 0.23 for that, just consume the hadoop-auth artifact, which has no dependencies on the rest of Hadoop 0.23 artifacts. {quote} -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira