HBASE-12168 Document Rest gateway SPNEGO-based authentication for client

<Jerry He>
This commit is contained in:
Misty Stanley-Jones 2015-02-12 14:10:32 +10:00
parent e83444e845
commit b51f5dc120
1 changed files with 24 additions and 4 deletions

View File

@ -270,8 +270,6 @@ Add the following to the `hbase-site.xml` file for every REST gateway:
Substitute the appropriate credential and keytab for _$USER_ and _$KEYTAB_ respectively. Substitute the appropriate credential and keytab for _$USER_ and _$KEYTAB_ respectively.
The REST gateway will authenticate with HBase using the supplied credential. The REST gateway will authenticate with HBase using the supplied credential.
No authentication will be performed by the REST gateway itself.
All client access via the REST gateway will use the REST gateway's credential and have its privilege.
In order to use the REST API principal to interact with HBase, it is also necessary to add the `hbase.rest.kerberos.principal` to the `_acl_` table. In order to use the REST API principal to interact with HBase, it is also necessary to add the `hbase.rest.kerberos.principal` to the `_acl_` table.
For example, to give the REST API principal, `rest_server`, administrative access, a command such as this one will suffice: For example, to give the REST API principal, `rest_server`, administrative access, a command such as this one will suffice:
@ -283,8 +281,30 @@ grant 'rest_server', 'RWCA'
For more information about ACLs, please see the <<hbase.accesscontrol.configuration>> section For more information about ACLs, please see the <<hbase.accesscontrol.configuration>> section
It should be possible for clients to authenticate with the HBase cluster through the REST gateway in a pass-through manner via SPNEGO HTTP authentication. HBase REST gateway supports link:http://hadoop.apache.org/docs/stable/hadoop-auth/index.html[SPNEGO HTTP authentication] for client access to the gateway.
This is future work. To enable REST gateway Kerberos authentication for client access, add the following to the `hbase-site.xml` file for every REST gateway.
[source,xml]
----
<property>
<name>hbase.rest.authentication.type</name>
<value>kerberos</value>
</property>
<property>
<name>hbase.rest.authentication.kerberos.principal</name>
<value>HTTP/_HOST@HADOOP.LOCALDOMAIN</value>
</property>
<property>
<name>hbase.rest.authentication.kerberos.keytab</name>
<value>$KEYTAB</value>
</property>
----
Substitute the keytab for HTTP for _$KEYTAB_.
HBase REST gateway supports different 'hbase.rest.authentication.type': simple, kerberos.
You can also implement a custom authentication by implemening Hadoop AuthenticationHandler, then specify the full class name as 'hbase.rest.authentication.type' value.
For more information, refer to link:http://hadoop.apache.org/docs/stable/hadoop-auth/index.html[SPNEGO HTTP authentication].
[[security.rest.gateway]] [[security.rest.gateway]]
=== REST Gateway Impersonation Configuration === REST Gateway Impersonation Configuration