HBASE-8588 [Documentation]: Add information about adding REST and Thrift API kerberos principals to HBase ACL table

git-svn-id: https://svn.apache.org/repos/asf/hbase/trunk@1484953 13f79535-47bb-0310-9956-ffa450edef68

src/main/docbkx/security.xml

@@ -49,13 +49,13 @@
         only to the user account under which the HBase daemons will run.
     </para>
     <para>
-        A Kerberos principal has three parts, with the form 
+        A Kerberos principal has three parts, with the form
         <code>username/fully.qualified.domain.name@YOUR-REALM.COM</code>. We
         recommend using <code>hbase</code> as the username portion.
     </para>
     <para>
         The following is an example of the configuration properties for
-        Kerberos operation that must be added to the 
+        Kerberos operation that must be added to the
         <code>hbase-site.xml</code> file on every server machine in the
         cluster. Required for even the most basic interactions with a
         secure Hadoop configuration, independent of HBase security.
@@ -91,7 +91,7 @@
     <para>
         Long running daemons with indefinite lifetimes that require client
         access to HBase can instead be configured to log in from a keytab. For
-        each host running such daemons, create a keytab with 
+        each host running such daemons, create a keytab with
         <code>kadmin</code> or <code>kadmin.local</code>. The procedure for
         creating keytabs for HBase service is the same as for creating
         keytabs for Hadoop. Those steps are omitted here. Copy the resulting
@@ -107,8 +107,8 @@
     <programlisting><![CDATA[
       <property>
         <name>hbase.security.authentication</name>
-        <value>kerberos</value> 
-      </property> 
+        <value>kerberos</value>
+      </property>
       <property>
         <name>hbase.security.authorization</name>
         <value>true</value>
@@ -132,7 +132,7 @@
       <property>
         <name>hbase.security.authentication</name>
         <value>kerberos</value>
-      </property> 
+      </property>
     ]]></programlisting>
     <para>
         The client environment must be logged in to Kerberos from KDC or
@@ -141,7 +141,7 @@
     </para>
     <para>
         Be advised that if the <code>hbase.security.authentication</code>
-        in the client- and server-side site files do not match, the client will 
+        in the client- and server-side site files do not match, the client will
         not be able to communicate with the cluster.
     </para>
     <para>
@@ -188,6 +188,12 @@
         Substitute the appropriate credential and keytab for $USER and $KEYTAB
         respectively.
     </para>
+    <para>In order to use the Thrift API principal to interact with HBase, it is also necessary to add the <code>hbase.thrift.kerberos.principal</code> to the <code>_acl_</code> table. For example, to give the Thrift API principal, <code>thrift_server</code>, administrative access, a command such as this one will suffice:
+    <programlisting><![CDATA[
+    grant 'thrift_server', 'RWCA'
+    ]]></programlisting> For more information about ACLs, please see the <link linkend='hbase.accesscontrol.configuration'>Access Control</link> section
+    </para>
+
     <para>
         The Thrift gateway will authenticate with HBase using the supplied
         credential. No authentication will be performed by the Thrift gateway
@@ -220,6 +226,11 @@
         itself. All client access via the REST gateway will use the REST
         gateway's credential and have its privilege.
     </para>
+    <para>In order to use the REST API principal to interact with HBase, it is also necessary to add the <code>hbase.rest.kerberos.principal</code> to the <code>_acl_</code> table. For example, to give the REST API principal, <code>rest_server</code>, administrative access, a command such as this one will suffice:
+    <programlisting><![CDATA[
+    grant 'rest_server', 'RWCA'
+    ]]></programlisting> For more information about ACLs, please see the <link linkend='hbase.accesscontrol.configuration'>Access Control</link> section
+    </para>
     <para>
         It should be possible for clients to authenticate with the HBase
         cluster through the REST gateway in a pass-through manner via SPEGNO
@@ -251,7 +262,7 @@
     </para>
     <para>
        You must also configure ZooKeeper for secure operation. Changes to ACLs
-       are synchronized throughout the cluster using ZooKeeper. Secure 
+       are synchronized throughout the cluster using ZooKeeper. Secure
        authentication to ZooKeeper must be enabled or otherwise it will be
        possible to subvert HBase access control via direct client access to
        ZooKeeper. Refer to the section on secure ZooKeeper configuration and
@@ -264,7 +275,7 @@
         With Secure RPC and Access Control enabled, client access to HBase is
         authenticated and user data is private unless access has been
         explicitly granted. Access to data can be granted at a table or per
-        column family basis. 
+        column family basis.
     </para>
     <para>
         However, the following items have been left out of the initial
@@ -423,7 +434,7 @@ Access control mechanisms are mature and fairly standardized in the relational d
        the table, though it may be changed at table creation time or during an
        alter operation by setting or changing the OWNER table attribute. Only a
        single user principal can own a table at a given time. A table owner will
-       have all permissions over a given table. 
+       have all permissions over a given table.
     </para>
     </section>
 
@@ -452,7 +463,7 @@ Access control mechanisms are mature and fairly standardized in the relational d
 
     <section><title>Shell Enhancements for Access Control</title>
     <para>
-The HBase shell has been extended to provide simple commands for editing and updating user permissions. The following commands have been added for access control list management: 
+The HBase shell has been extended to provide simple commands for editing and updating user permissions. The following commands have been added for access control list management:
     </para>
     Grant
     <para>
@@ -461,7 +472,7 @@ The HBase shell has been extended to provide simple commands for editing and upd
     </programlisting>
     </para>
     <para>
-    <code>&lt;permissions&gt;</code> is zero or more letters from the set "RWCA": READ('R'), WRITE('W'), CREATE('C'), ADMIN('A'). 
+    <code>&lt;permissions&gt;</code> is zero or more letters from the set "RWCA": READ('R'), WRITE('W'), CREATE('C'), ADMIN('A').
     </para>
     <para>
     Note: Grants and revocations of individual permissions on a resource are both accomplished using the <code>grant</code> command. A separate <code>revoke</code> command is also provided by the shell, but this is for fast revocation of all of a user's access rights to a given resource only.