HBASE-9742 Add Documentation For Simple User Access
git-svn-id: https://svn.apache.org/repos/asf/hbase/trunk@1531191 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
71e8021b65
commit
0b204c8132
|
@ -243,6 +243,115 @@
|
||||||
|
|
||||||
</section> <!-- Secure Client Access to HBase -->
|
</section> <!-- Secure Client Access to HBase -->
|
||||||
|
|
||||||
|
<section xml:id="hbase.secure.simpleconfiguration">
|
||||||
|
<title>Simple User Access to Apache HBase</title>
|
||||||
|
<para>Newer releases of Apache HBase (>= 0.92) support optional SASL authentication of clients<footnote><para>See
|
||||||
|
also Matteo Bertozzi's article on <link xlink:href="http://www.cloudera.com/blog/2012/09/understanding-user-authentication-and-authorization-in-apache-hbase/">Understanding User Authentication and Authorization in Apache HBase</link>.</para></footnote>.</para>
|
||||||
|
<para>This describes how to set up Apache HBase and clients for simple user access to HBase resources.</para>
|
||||||
|
|
||||||
|
<section><title>Simple Versus Secure Access</title>
|
||||||
|
<para>
|
||||||
|
The following section shows how to set up simple user access. Simple user access is
|
||||||
|
not a secure method of operating HBase. This method is used to prevent users from making
|
||||||
|
mistakes. It can be used to mimic the Access Control using on a development system without having to
|
||||||
|
set up Kerberos.
|
||||||
|
</para>
|
||||||
|
<para>
|
||||||
|
This method is not used to prevent malicious or hacking attempts. To make HBase secure against these
|
||||||
|
types of attacks, you must configure HBase for secure operation. Refer to the section
|
||||||
|
<link linkend='hbase.accesscontrol.configuration'>Secure Client Access to HBase</link> and complete all of the steps described
|
||||||
|
there.
|
||||||
|
</para>
|
||||||
|
|
||||||
|
<section><title>Prerequisites</title>
|
||||||
|
<para>
|
||||||
|
None
|
||||||
|
</para>
|
||||||
|
|
||||||
|
<section><title>Server-side Configuration for Simple User Access Operation</title>
|
||||||
|
<para>
|
||||||
|
Add the following to the <code>hbase-site.xml</code> file on every server machine in the cluster:
|
||||||
|
</para>
|
||||||
|
<programlisting><![CDATA[
|
||||||
|
<property>
|
||||||
|
<name>hbase.security.authentication</name>
|
||||||
|
<value>simple</value>
|
||||||
|
</property>
|
||||||
|
<property>
|
||||||
|
<name>hbase.security.authorization</name>
|
||||||
|
<value>true</value>
|
||||||
|
</property>
|
||||||
|
<property>
|
||||||
|
<name>hbase.coprocessor.master.classes</name>
|
||||||
|
<value>org.apache.hadoop.hbase.security.access.AccessController</value>
|
||||||
|
</property>
|
||||||
|
<property>
|
||||||
|
<name>hbase.coprocessor.region.classes</name>
|
||||||
|
<value>org.apache.hadoop.hbase.security.access.AccessController</value>
|
||||||
|
</property>
|
||||||
|
]]></programlisting>
|
||||||
|
<para>
|
||||||
|
A full shutdown and restart of HBase service is required when deploying
|
||||||
|
these configuration changes.
|
||||||
|
</para>
|
||||||
|
</section>
|
||||||
|
|
||||||
|
<section><title>Client-side Configuration for Simple User Access Operation</title>
|
||||||
|
<para>
|
||||||
|
Add the following to the <code>hbase-site.xml</code> file on every client:
|
||||||
|
</para>
|
||||||
|
<programlisting><![CDATA[
|
||||||
|
<property>
|
||||||
|
<name>hbase.security.authentication</name>
|
||||||
|
<value>simple</value>
|
||||||
|
</property>
|
||||||
|
]]></programlisting>
|
||||||
|
<para>
|
||||||
|
Be advised that if the <code>hbase.security.authentication</code>
|
||||||
|
in the client- and server-side site files do not match, the client will
|
||||||
|
not be able to communicate with the cluster.
|
||||||
|
</para>
|
||||||
|
</section>
|
||||||
|
|
||||||
|
<section><title>Client-side Configuration for Simple User Access Operation - Thrift Gateway</title>
|
||||||
|
<para>The Thrift gateway user will need access. For example, to give the Thrift API user, <code>thrift_server</code>, administrative access, a command such as this one will suffice:
|
||||||
|
<programlisting><![CDATA[
|
||||||
|
grant 'thrift_server', 'RWCA'
|
||||||
|
]]></programlisting> For more information about ACLs, please see the <link linkend='hbase.accesscontrol.configuration'>Access Control</link> section
|
||||||
|
</para>
|
||||||
|
|
||||||
|
<para>
|
||||||
|
The Thrift gateway will authenticate with HBase using the supplied
|
||||||
|
credential. No authentication will be performed by the Thrift gateway
|
||||||
|
itself. All client access via the Thrift gateway will use the Thrift
|
||||||
|
gateway's credential and have its privilege.
|
||||||
|
</para>
|
||||||
|
</section>
|
||||||
|
|
||||||
|
<section><title>Client-side Configuration for Simple User Access Operation - REST Gateway</title>
|
||||||
|
|
||||||
|
<para>
|
||||||
|
The REST gateway will authenticate with HBase using the supplied
|
||||||
|
credential. No authentication will be performed by the REST gateway
|
||||||
|
itself. All client access via the REST gateway will use the REST
|
||||||
|
gateway's credential and have its privilege.
|
||||||
|
</para>
|
||||||
|
<para>The REST gateway user will need access. For example, to give the REST API user, <code>rest_server</code>, administrative access, a command such as this one will suffice:
|
||||||
|
<programlisting><![CDATA[
|
||||||
|
grant 'rest_server', 'RWCA'
|
||||||
|
]]></programlisting> For more information about ACLs, please see the <link linkend='hbase.accesscontrol.configuration'>Access Control</link> section
|
||||||
|
</para>
|
||||||
|
<para>
|
||||||
|
It should be possible for clients to authenticate with the HBase
|
||||||
|
cluster through the REST gateway in a pass-through manner via SPEGNO
|
||||||
|
HTTP authentication. This is future work.
|
||||||
|
</para>
|
||||||
|
</section>
|
||||||
|
</section>
|
||||||
|
</section>
|
||||||
|
|
||||||
|
</section> <!-- Simple User Access to Apache HBase -->
|
||||||
|
|
||||||
|
|
||||||
<section xml:id="hbase.accesscontrol.configuration">
|
<section xml:id="hbase.accesscontrol.configuration">
|
||||||
<title>Access Control</title>
|
<title>Access Control</title>
|
||||||
|
@ -259,12 +368,14 @@
|
||||||
|
|
||||||
<section><title>Prerequisites</title>
|
<section><title>Prerequisites</title>
|
||||||
<para>
|
<para>
|
||||||
You must configure HBase for secure operation. Refer to the section
|
You must configure HBase for secure or simple user access operation. Refer to the
|
||||||
"Secure Client Access to HBase" and complete all of the steps described
|
<link linkend='hbase.accesscontrol.configuration'>Secure Client Access to HBase</link> or
|
||||||
|
<link linkend='hbase.accesscontrol.simpleconfiguration'>Simple User Access to HBase</link>
|
||||||
|
sections and complete all of the steps described
|
||||||
there.
|
there.
|
||||||
</para>
|
</para>
|
||||||
<para>
|
<para>
|
||||||
You must also configure ZooKeeper for secure operation. Changes to ACLs
|
For secure access, you must also configure ZooKeeper for secure operation. Changes to ACLs
|
||||||
are synchronized throughout the cluster using ZooKeeper. Secure
|
are synchronized throughout the cluster using ZooKeeper. Secure
|
||||||
authentication to ZooKeeper must be enabled or otherwise it will be
|
authentication to ZooKeeper must be enabled or otherwise it will be
|
||||||
possible to subvert HBase access control via direct client access to
|
possible to subvert HBase access control via direct client access to
|
||||||
|
|
Loading…
Reference in New Issue