Apache
/
hbase
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

HBASE-12708 Document newly introduced params for using Thrift-over-HTTPS. <Srikanth Srungarapu>

This commit is contained in:
Misty Stanley-Jones 2015-01-14 20:35:21 -08:00
parent 296383c934
commit 4b0efe5515
1 changed files with 39 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
src/main/asciidoc/_chapters/security.adoc
View File

@ -214,6 +214,45 @@ To enable it, do the following.
To stop Thrift on a node, run the command +bin/hbase-daemon.sh stop thrift+.
To start Thrift on a node, run the command +bin/hbase-daemon.sh start thrift+.
[[security.gateway.thrift.doas]]
=== Configure the Thrift Gateway to Use the `doAs` Feature
<<security.gateway.thrift>> describes how to configure the Thrift gateway to authenticate to HBase on the client's behalf, and to access HBase using a proxy user. The limitation of this approach is that after the client is initialized with a particular set of credentials, it cannot change these credentials during the session session. The `doAs` feature provides a flexible way to impersonate multiple principals using the same client. This feature was implemented in link:https://issues.apache.org/jira/browse/HBASE-12640[HBASE-12640] for Thrift 1, but is currently not available for Thrift 2.
*To allow proxy users*, add the following to the _hbase-site.xml_ file for every HBase node:
[source,xml]
----
<property>
<name>hadoop.security.authorization</name>
<value>true</value>
</property>
<property>
<name>hadoop.proxyuser.$USER.groups</name>
<value>$GROUPS</value>
</property>
<property>
<name>hadoop.proxyuser.$USER.hosts</name>
<value>$GROUPS</value>
</property>
----
*To enable the `doAs` feature*, add the following to the _hbase-site.xml_ file for every Thrift gateway:
[source,xml]
----
<property>
<name>hbase.regionserver.thrift.http</name>
<value>true</value>
</property>
<property>
<name>hbase.thrift.support.proxyuser</name>
<value>true/value>
</property>
----
Take a look at the link:https://github.com/apache/hbase/blob/master/hbase-examples/src/main/java/org/apache/hadoop/hbase/thrift/HttpDoAsClient.java[demo client] to get an overall idea of how to use this feature in your client.
=== Client-side Configuration for Secure Operation - REST Gateway
Add the following to the [code]+hbase-site.xml+ file for every REST gateway: