HBASE-12168 Document Rest gateway SPNEGO-based authentication for client
<Jerry He>
This commit is contained in:
parent
e83444e845
commit
b51f5dc120
|
@ -270,8 +270,6 @@ Add the following to the `hbase-site.xml` file for every REST gateway:
|
||||||
Substitute the appropriate credential and keytab for _$USER_ and _$KEYTAB_ respectively.
|
Substitute the appropriate credential and keytab for _$USER_ and _$KEYTAB_ respectively.
|
||||||
|
|
||||||
The REST gateway will authenticate with HBase using the supplied credential.
|
The REST gateway will authenticate with HBase using the supplied credential.
|
||||||
No authentication will be performed by the REST gateway itself.
|
|
||||||
All client access via the REST gateway will use the REST gateway's credential and have its privilege.
|
|
||||||
|
|
||||||
In order to use the REST API principal to interact with HBase, it is also necessary to add the `hbase.rest.kerberos.principal` to the `_acl_` table.
|
In order to use the REST API principal to interact with HBase, it is also necessary to add the `hbase.rest.kerberos.principal` to the `_acl_` table.
|
||||||
For example, to give the REST API principal, `rest_server`, administrative access, a command such as this one will suffice:
|
For example, to give the REST API principal, `rest_server`, administrative access, a command such as this one will suffice:
|
||||||
|
@ -283,8 +281,30 @@ grant 'rest_server', 'RWCA'
|
||||||
|
|
||||||
For more information about ACLs, please see the <<hbase.accesscontrol.configuration>> section
|
For more information about ACLs, please see the <<hbase.accesscontrol.configuration>> section
|
||||||
|
|
||||||
It should be possible for clients to authenticate with the HBase cluster through the REST gateway in a pass-through manner via SPNEGO HTTP authentication.
|
HBase REST gateway supports link:http://hadoop.apache.org/docs/stable/hadoop-auth/index.html[SPNEGO HTTP authentication] for client access to the gateway.
|
||||||
This is future work.
|
To enable REST gateway Kerberos authentication for client access, add the following to the `hbase-site.xml` file for every REST gateway.
|
||||||
|
|
||||||
|
[source,xml]
|
||||||
|
----
|
||||||
|
<property>
|
||||||
|
<name>hbase.rest.authentication.type</name>
|
||||||
|
<value>kerberos</value>
|
||||||
|
</property>
|
||||||
|
<property>
|
||||||
|
<name>hbase.rest.authentication.kerberos.principal</name>
|
||||||
|
<value>HTTP/_HOST@HADOOP.LOCALDOMAIN</value>
|
||||||
|
</property>
|
||||||
|
<property>
|
||||||
|
<name>hbase.rest.authentication.kerberos.keytab</name>
|
||||||
|
<value>$KEYTAB</value>
|
||||||
|
</property>
|
||||||
|
----
|
||||||
|
|
||||||
|
Substitute the keytab for HTTP for _$KEYTAB_.
|
||||||
|
|
||||||
|
HBase REST gateway supports different 'hbase.rest.authentication.type': simple, kerberos.
|
||||||
|
You can also implement a custom authentication by implemening Hadoop AuthenticationHandler, then specify the full class name as 'hbase.rest.authentication.type' value.
|
||||||
|
For more information, refer to link:http://hadoop.apache.org/docs/stable/hadoop-auth/index.html[SPNEGO HTTP authentication].
|
||||||
|
|
||||||
[[security.rest.gateway]]
|
[[security.rest.gateway]]
|
||||||
=== REST Gateway Impersonation Configuration
|
=== REST Gateway Impersonation Configuration
|
||||||
|
|
Loading…
Reference in New Issue