HBASE-9742 Add Documentation For Simple User Access

git-svn-id: https://svn.apache.org/repos/asf/hbase/trunk@1531191 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Michael Stack 2013-10-11 04:14:52 +00:00
parent 71e8021b65
commit 0b204c8132
1 changed files with 114 additions and 3 deletions

View File

@ -243,6 +243,115 @@
</section> <!-- Secure Client Access to HBase --> </section> <!-- Secure Client Access to HBase -->
<section xml:id="hbase.secure.simpleconfiguration">
<title>Simple User Access to Apache HBase</title>
<para>Newer releases of Apache HBase (&gt;= 0.92) support optional SASL authentication of clients<footnote><para>See
also Matteo Bertozzi's article on <link xlink:href="http://www.cloudera.com/blog/2012/09/understanding-user-authentication-and-authorization-in-apache-hbase/">Understanding User Authentication and Authorization in Apache HBase</link>.</para></footnote>.</para>
<para>This describes how to set up Apache HBase and clients for simple user access to HBase resources.</para>
<section><title>Simple Versus Secure Access</title>
<para>
The following section shows how to set up simple user access. Simple user access is
not a secure method of operating HBase. This method is used to prevent users from making
mistakes. It can be used to mimic the Access Control using on a development system without having to
set up Kerberos.
</para>
<para>
This method is not used to prevent malicious or hacking attempts. To make HBase secure against these
types of attacks, you must configure HBase for secure operation. Refer to the section
<link linkend='hbase.accesscontrol.configuration'>Secure Client Access to HBase</link> and complete all of the steps described
there.
</para>
<section><title>Prerequisites</title>
<para>
None
</para>
<section><title>Server-side Configuration for Simple User Access Operation</title>
<para>
Add the following to the <code>hbase-site.xml</code> file on every server machine in the cluster:
</para>
<programlisting><![CDATA[
<property>
<name>hbase.security.authentication</name>
<value>simple</value>
</property>
<property>
<name>hbase.security.authorization</name>
<value>true</value>
</property>
<property>
<name>hbase.coprocessor.master.classes</name>
<value>org.apache.hadoop.hbase.security.access.AccessController</value>
</property>
<property>
<name>hbase.coprocessor.region.classes</name>
<value>org.apache.hadoop.hbase.security.access.AccessController</value>
</property>
]]></programlisting>
<para>
A full shutdown and restart of HBase service is required when deploying
these configuration changes.
</para>
</section>
<section><title>Client-side Configuration for Simple User Access Operation</title>
<para>
Add the following to the <code>hbase-site.xml</code> file on every client:
</para>
<programlisting><![CDATA[
<property>
<name>hbase.security.authentication</name>
<value>simple</value>
</property>
]]></programlisting>
<para>
Be advised that if the <code>hbase.security.authentication</code>
in the client- and server-side site files do not match, the client will
not be able to communicate with the cluster.
</para>
</section>
<section><title>Client-side Configuration for Simple User Access Operation - Thrift Gateway</title>
<para>The Thrift gateway user will need access. For example, to give the Thrift API user, <code>thrift_server</code>, administrative access, a command such as this one will suffice:
<programlisting><![CDATA[
grant 'thrift_server', 'RWCA'
]]></programlisting> For more information about ACLs, please see the <link linkend='hbase.accesscontrol.configuration'>Access Control</link> section
</para>
<para>
The Thrift gateway will authenticate with HBase using the supplied
credential. No authentication will be performed by the Thrift gateway
itself. All client access via the Thrift gateway will use the Thrift
gateway's credential and have its privilege.
</para>
</section>
<section><title>Client-side Configuration for Simple User Access Operation - REST Gateway</title>
<para>
The REST gateway will authenticate with HBase using the supplied
credential. No authentication will be performed by the REST gateway
itself. All client access via the REST gateway will use the REST
gateway's credential and have its privilege.
</para>
<para>The REST gateway user will need access. For example, to give the REST API user, <code>rest_server</code>, administrative access, a command such as this one will suffice:
<programlisting><![CDATA[
grant 'rest_server', 'RWCA'
]]></programlisting> For more information about ACLs, please see the <link linkend='hbase.accesscontrol.configuration'>Access Control</link> section
</para>
<para>
It should be possible for clients to authenticate with the HBase
cluster through the REST gateway in a pass-through manner via SPEGNO
HTTP authentication. This is future work.
</para>
</section>
</section>
</section>
</section> <!-- Simple User Access to Apache HBase -->
<section xml:id="hbase.accesscontrol.configuration"> <section xml:id="hbase.accesscontrol.configuration">
<title>Access Control</title> <title>Access Control</title>
@ -259,12 +368,14 @@
<section><title>Prerequisites</title> <section><title>Prerequisites</title>
<para> <para>
You must configure HBase for secure operation. Refer to the section You must configure HBase for secure or simple user access operation. Refer to the
"Secure Client Access to HBase" and complete all of the steps described <link linkend='hbase.accesscontrol.configuration'>Secure Client Access to HBase</link> or
<link linkend='hbase.accesscontrol.simpleconfiguration'>Simple User Access to HBase</link>
sections and complete all of the steps described
there. there.
</para> </para>
<para> <para>
You must also configure ZooKeeper for secure operation. Changes to ACLs For secure access, you must also configure ZooKeeper for secure operation. Changes to ACLs
are synchronized throughout the cluster using ZooKeeper. Secure are synchronized throughout the cluster using ZooKeeper. Secure
authentication to ZooKeeper must be enabled or otherwise it will be authentication to ZooKeeper must be enabled or otherwise it will be
possible to subvert HBase access control via direct client access to possible to subvert HBase access control via direct client access to