So if I'm understanding correctly, I've done something very similar to this before. You can setup a cross-domain trust at the server level. Then for your clients, you can specify the krb5 at bootup of java/kinit either through an environment variable or something like this: https://stackoverflow.com/a/30710283
Then these two things WOULD allow you to use something like spnego and that might solve your problems. To answer your question more directly, without SPNEGO, I don't see anything like that in the HBase configs but I'm maybe missing something. You're thinking about it backwards from how I usually think about it, which is fine. But if you flip it, there's an easier way, assuming you are cool running a knox gateway: use the knox gateway to sit in front of the HBase UI and block access except through the knox servers. There's a tutorial that MIGHT work here https://community.cloudera.com/t5/Community-Articles/Configure-Knox-to-access-HBASE-UI/ta-p/249399 although it's roughly similar to setting up any other knox gateway proxy. William Watson On Wed, Aug 12, 2020 at 10:50 AM <jw4306...@gmail.com> wrote: > Hello! > > > > I'm trying to prevent anonymous access to the Hbase Master and Regionserver > standard web UIs (the ones running on ports 16010/16030). I'm not able to > use SPNEGO protection on the web interfaces as the workstations my team > would be coming in from are Windows 10 workstations on a different domain > (that we don't have the rights to install software on). > > > > Is it possible to configure the Hbase web UIs to utilize Knox's KnoxSSO > proxy? Something analogous to this configuration setting in Hadoop's > core-site.xml: > > <property> > > <name>hadoop.http.authentication.authentication.provider.url</name> > > <value>https:// > <https://%3cknoxGWserver%3e:8443/gateway/knoxsso/api/v1/websso%3c/value> > <knoxGWserver>:8443/gateway/knoxsso/api/v1/websso</value> > > </property> > > > > If not, are there any other options available other than disabling the web > interfaces entirely? > > > > Thanks! > > > >
