On Jul 11, 2012, at 10:41 AM, Tony Dean wrote:
Hi,
Looking into hbase security, it appears that when HBaseRPC is creating a
proxy (e.g., SecureRpcEngine), it injects the current user:
User.getCurrent() which by default is the cached Kerberos TGT (kinit'ed user
- using the
: Wednesday, July 11, 2012 3:11 PM
To: user@hbase.apache.org
Subject: Re: hbase multi-user security
On Wed, Jul 11, 2012 at 11:51 AM, Tony Dean tony.d...@sas.com wrote:
Yes, I saw that. But one you have a User how do you get the SecureClient
connection to use it? It seems to just call
: RE: hbase multi-user security
Thanks Andy for the reply.
I understand your normal use case...
If we are hosting we could create separate Web apps per client so that
authentication occurs for each client back to the same hbase/hadoop cluster...
therefore, each client would see only the data
On Thu, Jul 12, 2012 at 12:44 PM, Tony Dean tony.d...@sas.com wrote:
I'm wondering how that proxy user can be injected into the RPC connection
when making requests.
Right, hence the suggestion to be able to set User per thread, at
least, via a thread local, so you can set at will and RPC will
Wouldn't this work:
User user =
User.create(UserGroupInformation.createProxyUser(userToImpersonate,
UserGroupInformation.getLoginUser()))
//Run the regionserver operation within a runAs (authentication will happen
using the credentials of the loginuser)
user.runAs(...)
At the RPC layer, the
loginUser?
consumers can choose to take the thread-local hit or not.
-Tony
-Original Message-
From: Andrew Purtell [mailto:apurt...@apache.org]
Sent: Thursday, July 12, 2012 4:09 PM
To: user@hbase.apache.org
Subject: Re: hbase multi-user security
On Thu, Jul 12, 2012 at 12:44 PM
Have you seen the following method in User.java ?
public static User create(UserGroupInformation ugi) {
if (ugi == null) {
return null;
}
return new SecureHadoopUser(ugi);
}
It wraps an underlying UserGroupInformation instance.
Cheers
On Wed, Jul 11, 2012 at 10:41 AM,
.
-Original Message-
From: Ted Yu [mailto:yuzhih...@gmail.com]
Sent: Wednesday, July 11, 2012 1:49 PM
To: user@hbase.apache.org
Subject: Re: hbase multi-user security
Have you seen the following method in User.java ?
public static User create(UserGroupInformation ugi) {
if (ugi == null
On Wed, Jul 11, 2012 at 11:51 AM, Tony Dean tony.d...@sas.com wrote:
Yes, I saw that. But one you have a User how do you get the SecureClient
connection to use it? It seems to just call User.getCurrent(). And its
static so there can only be 1.
I think Hadoop's UserGroupInformation is the