Hi Jagan,
Right now, Authorization checks inside of the RegionServer aren't
well-quantified, but it is possible. One example of software that does
this today is Apache Ranger.
However, your plan to provide custom client-side data is going to take a
bit more effort as you'll also need to figure out client-side logic to
compute and (somehow) send this extra data with every RPC. I would guess
that this would take some aggressive hacking, but I haven't looked at
the client-side code with this in mind before.
I think your best course of action is to look at the code yourself and
come back with more specific questions as to what exists in HBase.
Perhaps you can start looking at what Ranger does and go from there.
Good luck!
On 2/19/19 3:19 AM, Jagan R wrote:
Dear All,
Is there any way we can plug-in custom security checks in HBase?
We are exploring ways to do security checks at a more finer level where we
want to control/check if the user can access this data or not. Once we do
the authorization checks, want to pass an access token to the hbase region
servers for any request.
In the region server, we want to check for the validity of the access token
via a call to the data source (say redis) where the access token is stored.
So want to pass an additional argument say token for the hbase requests and
get a handle for validating the token before performing the operation. If
the token is invalid, should abort the operation and throw error to the
client.
Regards,
Jagan
