diff --git a/src/main/asciidoc/_chapters/security.adoc b/src/main/asciidoc/_chapters/security.adoc
index 9cffbdb605e..072f2510833 100644
--- a/src/main/asciidoc/_chapters/security.adoc
+++ b/src/main/asciidoc/_chapters/security.adoc
@@ -270,8 +270,6 @@ Add the following to the `hbase-site.xml` file for every REST gateway:
 Substitute the appropriate credential and keytab for _$USER_ and _$KEYTAB_ respectively.
 
 The REST gateway will authenticate with HBase using the supplied credential.
-No authentication will be performed by the REST gateway itself.
-All client access via the REST gateway will use the REST gateway's credential and have its privilege.
 
 In order to use the REST API principal to interact with HBase, it is also necessary to add the `hbase.rest.kerberos.principal` to the `_acl_` table.
 For example, to give the REST API principal, `rest_server`, administrative access, a command such as this one will suffice:
@@ -283,8 +281,30 @@ grant 'rest_server', 'RWCA'
 
 For more information about ACLs, please see the <<hbase.accesscontrol.configuration>> section
 
-It should be possible for clients to authenticate with the HBase cluster through the REST gateway in a pass-through manner via SPNEGO HTTP authentication.
-This is future work.
+HBase REST gateway supports link:http://hadoop.apache.org/docs/stable/hadoop-auth/index.html[SPNEGO HTTP authentication] for client access to the gateway.
+To enable REST gateway Kerberos authentication for client access, add the following to the `hbase-site.xml` file for every REST gateway.
+
+[source,xml]
+----
+<property>
+  <name>hbase.rest.authentication.type</name>
+  <value>kerberos</value>
+</property>
+<property>
+  <name>hbase.rest.authentication.kerberos.principal</name>
+  <value>HTTP/_HOST@HADOOP.LOCALDOMAIN</value>
+</property>
+<property>
+  <name>hbase.rest.authentication.kerberos.keytab</name>
+  <value>$KEYTAB</value>
+</property>
+----
+
+Substitute the keytab for HTTP for _$KEYTAB_.
+
+HBase REST gateway supports different 'hbase.rest.authentication.type': simple, kerberos.
+You can also implement a custom authentication by implemening Hadoop AuthenticationHandler, then specify the full class name as 'hbase.rest.authentication.type' value.
+For more information, refer to link:http://hadoop.apache.org/docs/stable/hadoop-auth/index.html[SPNEGO HTTP authentication].
 
 [[security.rest.gateway]]
 === REST Gateway Impersonation Configuration