Re: hbase multi-user security

2012-07-12 Thread Devaraj Das
On Jul 11, 2012, at 10:41 AM, Tony Dean wrote: Hi, Looking into hbase security, it appears that when HBaseRPC is creating a proxy (e.g., SecureRpcEngine), it injects the current user: User.getCurrent() which by default is the cached Kerberos TGT (kinit'ed user - using the

RE: hbase multi-user security

2012-07-12 Thread Tony Dean
: Wednesday, July 11, 2012 3:11 PM To: user@hbase.apache.org Subject: Re: hbase multi-user security On Wed, Jul 11, 2012 at 11:51 AM, Tony Dean tony.d...@sas.com wrote: Yes, I saw that. But one you have a User how do you get the SecureClient connection to use it? It seems to just call

RE: hbase multi-user security

2012-07-12 Thread Tony Dean
: RE: hbase multi-user security Thanks Andy for the reply. I understand your normal use case... If we are hosting we could create separate Web apps per client so that authentication occurs for each client back to the same hbase/hadoop cluster... therefore, each client would see only the data

Re: hbase multi-user security

2012-07-12 Thread Andrew Purtell
On Thu, Jul 12, 2012 at 12:44 PM, Tony Dean tony.d...@sas.com wrote: I'm wondering how that proxy user can be injected into the RPC connection when making requests. Right, hence the suggestion to be able to set User per thread, at least, via a thread local, so you can set at will and RPC will

Re: hbase multi-user security

2012-07-12 Thread Devaraj Das
Wouldn't this work: User user = User.create(UserGroupInformation.createProxyUser(userToImpersonate, UserGroupInformation.getLoginUser())) //Run the regionserver operation within a runAs (authentication will happen using the credentials of the loginuser) user.runAs(...) At the RPC layer, the

Re: hbase multi-user security

2012-07-12 Thread Devaraj Das
loginUser? consumers can choose to take the thread-local hit or not. -Tony -Original Message- From: Andrew Purtell [mailto:apurt...@apache.org] Sent: Thursday, July 12, 2012 4:09 PM To: user@hbase.apache.org Subject: Re: hbase multi-user security On Thu, Jul 12, 2012 at 12:44 PM

Re: hbase multi-user security

2012-07-11 Thread Ted Yu
Have you seen the following method in User.java ? public static User create(UserGroupInformation ugi) { if (ugi == null) { return null; } return new SecureHadoopUser(ugi); } It wraps an underlying UserGroupInformation instance. Cheers On Wed, Jul 11, 2012 at 10:41 AM,

RE: hbase multi-user security

2012-07-11 Thread Tony Dean
. -Original Message- From: Ted Yu [mailto:yuzhih...@gmail.com] Sent: Wednesday, July 11, 2012 1:49 PM To: user@hbase.apache.org Subject: Re: hbase multi-user security Have you seen the following method in User.java ? public static User create(UserGroupInformation ugi) { if (ugi == null

Re: hbase multi-user security

2012-07-11 Thread Andrew Purtell
On Wed, Jul 11, 2012 at 11:51 AM, Tony Dean tony.d...@sas.com wrote: Yes, I saw that. But one you have a User how do you get the SecureClient connection to use it? It seems to just call User.getCurrent(). And its static so there can only be 1. I think Hadoop's UserGroupInformation is the