Re: Hbase security tutorial
Gary has some slides: http://www.slideshare.net/ghelmling/new-hbase-features-coprocessors-and-security Here are blog posts from the old HBase blog (hbaseblog.com). The site is gone but you can still see them on the Internet Archive: http://web.archive.org/web/20101031022526/http://hbaseblog.com/2010/10/11/secure-hbase-access-controls/ http://web.archive.org/web/20100817034022/http://hbaseblog.com/2010/07/21/up-and-running-with-secure-hadoop/ Cheers On Wed, Feb 13, 2013 at 4:22 PM, Serge Blazhievsky sblazhiev...@nice.comwrote: Hi all, I am looking for a good Hbase security tutorial. Could you please suggestion something? Thanks Serge
Re: Hbase security tutorial
http://hbase.apache.org/book.html#security contains detailed information about configuration. FYI On Wed, Feb 13, 2013 at 4:27 PM, Ted Yu yuzhih...@gmail.com wrote: Gary has some slides: http://www.slideshare.net/ghelmling/new-hbase-features-coprocessors-and-security Here are blog posts from the old HBase blog (hbaseblog.com). The site is gone but you can still see them on the Internet Archive: http://web.archive.org/web/20101031022526/http://hbaseblog.com/2010/10/11/secure-hbase-access-controls/ http://web.archive.org/web/20100817034022/http://hbaseblog.com/2010/07/21/up-and-running-with-secure-hadoop/ Cheers On Wed, Feb 13, 2013 at 4:22 PM, Serge Blazhievsky sblazhiev...@nice.comwrote: Hi all, I am looking for a good Hbase security tutorial. Could you please suggestion something? Thanks Serge
Re: Hbase security tutorial
Thanks On Feb 13, 2013, at 4:32 PM, Ted Yu yuzhih...@gmail.com wrote: http://hbase.apache.org/book.html#security contains detailed information about configuration. FYI On Wed, Feb 13, 2013 at 4:27 PM, Ted Yu yuzhih...@gmail.com wrote: Gary has some slides: http://www.slideshare.net/ghelmling/new-hbase-features-coprocessors-and-security Here are blog posts from the old HBase blog (hbaseblog.com). The site is gone but you can still see them on the Internet Archive: http://web.archive.org/web/20101031022526/http://hbaseblog.com/2010/10/11/secure-hbase-access-controls/ http://web.archive.org/web/20100817034022/http://hbaseblog.com/2010/07/21/up-and-running-with-secure-hadoop/ Cheers On Wed, Feb 13, 2013 at 4:22 PM, Serge Blazhievsky sblazhiev...@nice.comwrote: Hi all, I am looking for a good Hbase security tutorial. Could you please suggestion something? Thanks Serge
Re: Hbase security tutorial
Check out http://hbase.apache.org/book.html#security Also, we did a presentation at HBaseCon last year. This is a worked example for getting a simple secure cluster up and running with 0.94 at the time: https://github.com/apurtell/ec2-demo The most useful files will be https://github.com/apurtell/ec2-demo/blob/master/bin/image/tarball/create-image-remote, which lays down a base configuration, and https://github.com/apurtell/ec2-demo/blob/master/bin/image/tarball/setup-remote, which configures site files. On Wed, Feb 13, 2013 at 4:22 PM, Serge Blazhievsky sblazhiev...@nice.comwrote: Hi all, I am looking for a good Hbase security tutorial. Could you please suggestion something? Thanks Serge -- Best regards, - Andy Problems worthy of attack prove their worth by hitting back. - Piet Hein (via Tom White)
Re: HBase Security API
IMO, the application that you are referring should be set up to impersonate other users (called proxy-user authentication). Have a look at http://hadoop.apache.org/common/docs/r1.0.3/Secure_Impersonation.html. This can be mapped to the HBase land.. I think the class org.apache.hadoop.hbase.security.User should provide an API to create proxy users. On Jul 1, 2012, at 5:29 PM, Tony Dean wrote: Posting this again in plaintext to see if it registers successfully. Hi, It appears that the Kerberos authentication integration into HBase is via JAAS Krb5LoginModule. That is, I can setup up the Client application context and configure where/how the client Kerberos principle is authenticated (TGT). Correct? If I have a multi-tenant application that performs scans/gets/puts based on different users, what is the appropriate way to specify the Kerberos principle to use on each thread? I was thinking that I could use a JAAS callbackHandler to specify the principle to use and then configure the login module to query a keytab for the principal's password key. Or do I have to create a Subject and configure the login module to use the shared state? What's an application's integration point into specifying what client Kerberos principal to authenticate and use. Thank you! Tony Dean SAS Institute Inc. Senior Software Developer 919-531-6704
Re: hbase security
On 5/15/12 2:24 AM, Harsh J wrote: HBase 0.92 has table-level security (among other goodies). Check out this slide on what all it includes: http://www.slideshare.net/ghelmling/new-hbase-features-coprocessors-and-security There was also a good blog post earlier on how to set it up, but am currently unable to locate it. I'll post back in case I find an archive (or someone else may). P.s. If you're making it to HBaseCon, you may not wanna miss http://www.hbasecon.com/sessions/hbase-security-for-the-enterprise/ which also includes a tutorial (from Andrew). Hi Harsh J and Rita, You might be interested in a couple of blog posts from the old HBase blog (hbaseblog.com). The site is gone but you can still see them on the Internet Archive: http://web.archive.org/web/20101031022526/http://hbaseblog.com/2010/10/11/secure-hbase-access-controls/ http://web.archive.org/web/20100817034022/http://hbaseblog.com/2010/07/21/up-and-running-with-secure-hadoop/ -Eugene
Re: hbase security
On 5/15/12 2:24 AM, Harsh J wrote: P.s. If you're making it to HBaseCon, you may not wanna miss http://www.hbasecon.com/sessions/hbase-security-for-the-enterprise/ which also includes a tutorial (from Andrew). Given the time constraints on the material I have to present and QA, what I'm doing is bringing a ~5 minute (accelerated) video instead, which I may or may not have time to show., and posted the scripts and configuration used to set up the security enabled demo cluster in EC2 in a public GitHub repo: https://github.com/apurtell/tm-ec2-demo It's possible to use those GitHub scripts right away. Best regards, - Andy Problems worthy of attack prove their worth by hitting back. - Piet Hein (via Tom White)
Re: hbase security
On Thu, May 17, 2012 at 7:19 AM, Eugene Koontz ekoo...@hiro-tan.org wrote: http://web.archive.org/web/20101031022526/http://hbaseblog.com/2010/10/11/secure-hbase-access-controls/ http://web.archive.org/web/20100817034022/http://hbaseblog.com/2010/07/21/up-and-running-with-secure-hadoop/ Anyone interested in porting these over to http://blogs.apache.org/hbase/? They have great stuff in them. St.Ack
Re: hbase security
I could repost the up and running with secure hadoop one. But it's kind of out of date at this point. I remember, back when the site was still up, getting some comments on it about things that had already changed in the 0.20.20X releases. I can take a look and see how bad it is. On Thu, May 17, 2012 at 1:22 PM, Stack st...@duboce.net wrote: On Thu, May 17, 2012 at 7:19 AM, Eugene Koontz ekoo...@hiro-tan.org wrote: http://web.archive.org/web/20101031022526/http://hbaseblog.com/2010/10/11/secure-hbase-access-controls/ http://web.archive.org/web/20100817034022/http://hbaseblog.com/2010/07/21/up-and-running-with-secure-hadoop/ Anyone interested in porting these over to http://blogs.apache.org/hbase/? They have great stuff in them. St.Ack
Re: hbase security
On 5/17/12 1:22 PM, Stack wrote: On Thu, May 17, 2012 at 7:19 AM, Eugene Koontz ekoo...@hiro-tan.org wrote: http://web.archive.org/web/20101031022526/http://hbaseblog.com/2010/10/11/secure-hbase-access-controls/ http://web.archive.org/web/20100817034022/http://hbaseblog.com/2010/07/21/up-and-running-with-secure-hadoop/ Anyone interested in porting these over to http://blogs.apache.org/hbase/? They have great stuff in them. St.Ack Hi St. Ack, Thanks for saying so! I'm planning to port mine (the access controls post) as soon as my Apache Roller account is granted by the Infra folks. -Eugene
Re: hbase security
you can use the hadoop + kerberos security feature to have security at hadoop level similarly, you can edit hbase-site.xml to have kerberos authentications. for more you can refer: https://ccp.cloudera.com/display/CDHDOC/HBase+Security+Configuration On Tue, May 15, 2012 at 8:11 AM, Rita rmorgan...@gmail.com wrote: Hello, It seems for my hbase installation anyone can delete my tables. Is there a way to prevent this? I would like to have only owner of Hmaster with super authority. tia -- --- Get your facts first, then you can distort them as you please.-- -- Nitin Pawar
Re: hbase security
HBase 0.92 has table-level security (among other goodies). Check out this slide on what all it includes: http://www.slideshare.net/ghelmling/new-hbase-features-coprocessors-and-security There was also a good blog post earlier on how to set it up, but am currently unable to locate it. I'll post back in case I find an archive (or someone else may). P.s. If you're making it to HBaseCon, you may not wanna miss http://www.hbasecon.com/sessions/hbase-security-for-the-enterprise/ which also includes a tutorial (from Andrew). On Tue, May 15, 2012 at 8:11 AM, Rita rmorgan...@gmail.com wrote: Hello, It seems for my hbase installation anyone can delete my tables. Is there a way to prevent this? I would like to have only owner of Hmaster with super authority. tia -- --- Get your facts first, then you can distort them as you please.-- -- Harsh J
Re: hbase security
Coprocessors are inside the engine... So they should be in place if you use the shell, or some other access method. Sent from a remote device. Please excuse any typos... Mike Segel On May 15, 2012, at 6:11 AM, Rita rmorgan...@gmail.com wrote: I am guessing I can´t use these features using shell, right? On Tue, May 15, 2012 at 5:24 AM, Harsh J ha...@cloudera.com wrote: HBase 0.92 has table-level security (among other goodies). Check out this slide on what all it includes: http://www.slideshare.net/ghelmling/new-hbase-features-coprocessors-and-security There was also a good blog post earlier on how to set it up, but am currently unable to locate it. I'll post back in case I find an archive (or someone else may). P.s. If you're making it to HBaseCon, you may not wanna miss http://www.hbasecon.com/sessions/hbase-security-for-the-enterprise/ which also includes a tutorial (from Andrew). On Tue, May 15, 2012 at 8:11 AM, Rita rmorgan...@gmail.com wrote: Hello, It seems for my hbase installation anyone can delete my tables. Is there a way to prevent this? I would like to have only owner of Hmaster with super authority. tia -- --- Get your facts first, then you can distort them as you please.-- -- Harsh J -- --- Get your facts first, then you can distort them as you please.--
Re: hbase security
Do any of the CDH have this feature? On Tue, May 15, 2012 at 7:21 AM, Michel Segel michael_se...@hotmail.comwrote: Coprocessors are inside the engine... So they should be in place if you use the shell, or some other access method. Sent from a remote device. Please excuse any typos... Mike Segel On May 15, 2012, at 6:11 AM, Rita rmorgan...@gmail.com wrote: I am guessing I can´t use these features using shell, right? On Tue, May 15, 2012 at 5:24 AM, Harsh J ha...@cloudera.com wrote: HBase 0.92 has table-level security (among other goodies). Check out this slide on what all it includes: http://www.slideshare.net/ghelmling/new-hbase-features-coprocessors-and-security There was also a good blog post earlier on how to set it up, but am currently unable to locate it. I'll post back in case I find an archive (or someone else may). P.s. If you're making it to HBaseCon, you may not wanna miss http://www.hbasecon.com/sessions/hbase-security-for-the-enterprise/ which also includes a tutorial (from Andrew). On Tue, May 15, 2012 at 8:11 AM, Rita rmorgan...@gmail.com wrote: Hello, It seems for my hbase installation anyone can delete my tables. Is there a way to prevent this? I would like to have only owner of Hmaster with super authority. tia -- --- Get your facts first, then you can distort them as you please.-- -- Harsh J -- --- Get your facts first, then you can distort them as you please.-- -- --- Get your facts first, then you can distort them as you please.--
Re: hbase security
CDH4 is based off of 92 and will have HBase security. On Tue, May 15, 2012 at 6:35 PM, Rita rmorgan...@gmail.com wrote: Do any of the CDH have this feature? On Tue, May 15, 2012 at 7:21 AM, Michel Segel michael_se...@hotmail.com wrote: Coprocessors are inside the engine... So they should be in place if you use the shell, or some other access method. Sent from a remote device. Please excuse any typos... Mike Segel On May 15, 2012, at 6:11 AM, Rita rmorgan...@gmail.com wrote: I am guessing I can´t use these features using shell, right? On Tue, May 15, 2012 at 5:24 AM, Harsh J ha...@cloudera.com wrote: HBase 0.92 has table-level security (among other goodies). Check out this slide on what all it includes: http://www.slideshare.net/ghelmling/new-hbase-features-coprocessors-and-security There was also a good blog post earlier on how to set it up, but am currently unable to locate it. I'll post back in case I find an archive (or someone else may). P.s. If you're making it to HBaseCon, you may not wanna miss http://www.hbasecon.com/sessions/hbase-security-for-the-enterprise/ which also includes a tutorial (from Andrew). On Tue, May 15, 2012 at 8:11 AM, Rita rmorgan...@gmail.com wrote: Hello, It seems for my hbase installation anyone can delete my tables. Is there a way to prevent this? I would like to have only owner of Hmaster with super authority. tia -- --- Get your facts first, then you can distort them as you please.-- -- Harsh J -- --- Get your facts first, then you can distort them as you please.-- -- --- Get your facts first, then you can distort them as you please.-- -- Kevin O'Dell Customer Operations Engineer, Cloudera
Re: hbase security
Thanks! Can't wait until CHD4 :p On Tue, May 15, 2012 at 6:37 PM, Kevin O'dell kevin.od...@cloudera.comwrote: CDH4 is based off of 92 and will have HBase security. On Tue, May 15, 2012 at 6:35 PM, Rita rmorgan...@gmail.com wrote: Do any of the CDH have this feature? On Tue, May 15, 2012 at 7:21 AM, Michel Segel michael_se...@hotmail.com wrote: Coprocessors are inside the engine... So they should be in place if you use the shell, or some other access method. Sent from a remote device. Please excuse any typos... Mike Segel On May 15, 2012, at 6:11 AM, Rita rmorgan...@gmail.com wrote: I am guessing I can´t use these features using shell, right? On Tue, May 15, 2012 at 5:24 AM, Harsh J ha...@cloudera.com wrote: HBase 0.92 has table-level security (among other goodies). Check out this slide on what all it includes: http://www.slideshare.net/ghelmling/new-hbase-features-coprocessors-and-security There was also a good blog post earlier on how to set it up, but am currently unable to locate it. I'll post back in case I find an archive (or someone else may). P.s. If you're making it to HBaseCon, you may not wanna miss http://www.hbasecon.com/sessions/hbase-security-for-the-enterprise/ which also includes a tutorial (from Andrew). On Tue, May 15, 2012 at 8:11 AM, Rita rmorgan...@gmail.com wrote: Hello, It seems for my hbase installation anyone can delete my tables. Is there a way to prevent this? I would like to have only owner of Hmaster with super authority. tia -- --- Get your facts first, then you can distort them as you please.-- -- Harsh J -- --- Get your facts first, then you can distort them as you please.-- -- --- Get your facts first, then you can distort them as you please.-- -- Kevin O'Dell Customer Operations Engineer, Cloudera -- --- Get your facts first, then you can distort them as you please.--
Re: HBase Security Configuration
Hey Konrad, Make sure your HBase's classpath also has the Hadoop conf dir on it (specifically hdfs-site.xml and core-site.xml). It it already does have that, make sure they are populated with the right HDFS cluster values (core-site needs two properties that toggle security ON, and hdfs-site needs the HDFS server principals configured inside it - basically just copy these core-site and hdfs-site files from your secured HDFS cluster config over to the HBase machines/classpath). On Tue, Apr 17, 2012 at 5:38 PM, Konrad Tendera ema...@tendera.eu wrote: Hello, I'm trying to configure secure HBase using following instruction: https://ccp.cloudera.com/display/CDHDOC/HBase+Security+Configuration. Our cluster uses Kerberos and everything in Hadoop work fine. But when I start HBase following exception is thrown FATAL org.apache.hadoop.hbase.master.HMaster: Unhandled exception. Starting shutdown. org.apache.hadoop.security.AccessControlException: Authentication is required at org.apache.hadoop.ipc.Client.call(Client.java:1028) at org.apache.hadoop.ipc.WritableRpcEngine$Invoker.invoke(WritableRpcEngine.java:198) at $Proxy9.getProtocolVersion(Unknown Source) at org.apache.hadoop.ipc.WritableRpcEngine.getProxy(WritableRpcEngine.java:235) at org.apache.hadoop.ipc.RPC.getProxy(RPC.java:275) at org.apache.hadoop.ipc.RPC.getProxy(RPC.java:249) at org.apache.hadoop.hdfs.DFSClient.createRPCNamenode(DFSClient.java:161) at org.apache.hadoop.hdfs.DFSClient.init(DFSClient.java:278) at org.apache.hadoop.hdfs.DFSClient.init(DFSClient.java:245) at org.apache.hadoop.hdfs.DistributedFileSystem.initialize(DistributedFileSystem.java:109) at org.apache.hadoop.fs.FileSystem.createFileSystem(FileSystem.java:1792) at org.apache.hadoop.fs.FileSystem.access$200(FileSystem.java:76) at org.apache.hadoop.fs.FileSystem$Cache.getInternal(FileSystem.java:1826) at org.apache.hadoop.fs.FileSystem$Cache.get(FileSystem.java:1808) at org.apache.hadoop.fs.FileSystem.get(FileSystem.java:265) at org.apache.hadoop.fs.Path.getFileSystem(Path.java:189) at org.apache.hadoop.hbase.util.FSUtils.getRootDir(FSUtils.java:471) at org.apache.hadoop.hbase.master.MasterFileSystem.init(MasterFileSystem.java:94) at org.apache.hadoop.hbase.master.HMaster.finishInitialization(HMaster.java:448) at org.apache.hadoop.hbase.master.HMaster.run(HMaster.java:326) at java.lang.Thread.run(Thread.java:662) I can't find any info about it. I'm using Hbase 0.92 with Hadoop 0.22 -- Konrad Tendera -- Harsh J