[jira] [Created] (HBASE-4817) Simplify configuration of security components

Thu, 17 Nov 2011 17:38:16 -0800 

Simplify configuration of security components
---------------------------------------------

                 Key: HBASE-4817
                 URL: https://issues.apache.org/jira/browse/HBASE-4817
             Project: HBase
          Issue Type: Improvement
          Components: security
            Reporter: Gary Helmling


The HBase security features were built to be optionally loadable, when desired, 
and it shows through in the complexity of configuring security for operation.

In addition to the baseline configuration required for process keytab files and 
server principals, the following properties need to be set to enable security:

{code}
<property>
 <name>hbase.security.authentication</name>
 <value>kerberos</value>
</property>
<property>
 <name>hbase.coprocessor.master.classes</name>
 <value>org.apache.hadoop.hbase.security.access.AccessController</value>
</property>
<property>
 <name>hbase.coprocessor.region.classes</name>
 
<value>org.apache.hadoop.hbase.security.access.AccessController,org.apache.hadoop.hbase.security.token.TokenProvider</value>
</property>
<property>
 <name>hbase.rpc.engine</name>
 <value>org.apache.hadoop.hbase.ipc.SecureRpcEngine</value>
</property>
<property>
 <name>hbase.zookeeper.property.authProvider.1</name>
 <value>org.apache.zookeeper.server.auth.SASLAuthenticationProvider</value>
</property>
{code}

We should be able to simplify this and automatically setup the underlying code 
components (required coprocessors, SecureRpcEngine) when some high level 
security flags are set.

For authentication and authorization, I'd like narrow it down to two simple 
configuration properties.  When set, these would trigger automatic 
configuration of the required coprocessors/RpcEngine:

* {{hbase.security.authentication}} - when set to {{kerberos}}, this would 
automatically:
** set {{hbase.rpc.engine=org.apache.hadoop.hbase.ipc.SecureRpcEngine}}
** add {{org.apache.hadoop.hbase.security.token.TokenProvider}} to the 
configuration for {{hbase.coprocessor.region.classes}}
** possibly also set 
{{hbase.zookeeper.property.authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider}}
 for zookeeper?
* {{hbase.security.authorization}} - when set to {{true}}, this would 
automatically:
** add {{org.apache.hadoop.hbase.security.access.AccessController}} to the 
configuration for both {{hbase.coprocessor.master.classes}} and 
{{hbase.coprocessor.region.classes}}

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to