IMO, the application that you are referring should be set up to impersonate other users (called proxy-user authentication).
Have a look at http://hadoop.apache.org/common/docs/r1.0.3/Secure_Impersonation.html. This can be mapped to the HBase land.. I think the class org.apache.hadoop.hbase.security.User should provide an API to create proxy users. On Jul 1, 2012, at 5:29 PM, Tony Dean wrote: > Posting this again in plaintext to see if it registers successfully. > > Hi, > > It appears that the Kerberos authentication integration into HBase is via > JAAS Krb5LoginModule. That is, > I can setup up the "Client" application context and configure where/how the > client Kerberos principle is > authenticated (TGT). Correct? If I have a multi-tenant application that > performs scans/gets/puts based > on different users, what is the appropriate way to specify the Kerberos > principle to use on each thread? > I was thinking that I could use a JAAS callbackHandler to specify the > principle to use and then configure > the login module to query a keytab for the principal's password key. Or do I > have to create a Subject and > configure the login module to use the shared state? > > What's an application's integration point into specifying what client > Kerberos principal to authenticate and use. > > > Thank you! > > > Tony Dean > SAS Institute Inc. > Senior Software Developer > 919-531-6704 > > > >
