hbase

History

Josh Elser 8b00f9f0b1 HBASE-17115 Define UI admins via an ACL The Hadoop AccessControlList allows us to specify admins of the webUI via a list of users and/or groups. Admins of the WebUI can mutate the system, potentially seeing sensitive data or modifying the system. hbase.security.authentication.spnego.admin.users is a comma-separated list of users who are admins. hbase.security.authentication.spnego.admin.groups is a comma-separated list of groups whose membership are admins. Either of these configuration properties may also contain an asterisk (*) which denotes "any entity" (e.g user, group). Previously, when a user was denied from some endpoint that was designated for admins, they received an HTTP/401. In this case, it is more correct to return HTTP/403 as they were correctly authenticated, but they were disallowed from fetching the given resource. This commit incorporates this change. hbase.security.authentication.ui.config.protected also exists for users who have sensitive information stored in the Hadoop service configuration and want to limit access to this endpoint. By default, the Hadoop configuration endpoint is not protected and any authenticated user can access it. The test is based off of work by Nihal Jain in HBASE-20472. Co-authored-by: Nihal Jain <nihaljain.cs@gmail.com> Signed-off-by: Sean Busbey <busbey@apache.org>	2020-01-29 16:36:55 -05:00
..
src	HBASE-17115 Define UI admins via an ACL	2020-01-29 16:36:55 -05:00
pom.xml	HBASE-22478 Add jackson dependency for hbase-http module	2019-05-27 18:03:34 +08:00

Josh Elser 8b00f9f0b1 HBASE-17115 Define UI admins via an ACL

The Hadoop AccessControlList allows us to specify admins of the webUI
via a list of users and/or groups. Admins of the WebUI can mutate the
system, potentially seeing sensitive data or modifying the system.

hbase.security.authentication.spnego.admin.users is a comma-separated
list of users who are admins.
hbase.security.authentication.spnego.admin.groups is a comma-separated
list of groups whose membership are admins. Either of these
configuration properties may also contain an asterisk (*) which denotes
"any entity" (e.g user, group).

Previously, when a user was denied from some endpoint that was
designated for admins, they received an HTTP/401. In this case, it is
more correct to return HTTP/403 as they were correctly authenticated,
but they were disallowed from fetching the given resource. This commit
incorporates this change.

hbase.security.authentication.ui.config.protected also exists for users
who have sensitive information stored in the Hadoop service
configuration and want to limit access to this endpoint. By default,
the Hadoop configuration endpoint is not protected and any
authenticated user can access it.

The test is based off of work by Nihal Jain in HBASE-20472.

Co-authored-by: Nihal Jain <nihaljain.cs@gmail.com>
Signed-off-by: Sean Busbey <busbey@apache.org>

2020-01-29 16:36:55 -05:00

src

HBASE-17115 Define UI admins via an ACL

2020-01-29 16:36:55 -05:00

pom.xml

HBASE-22478 Add jackson dependency for hbase-http module

2019-05-27 18:03:34 +08:00