FAQ
Hi,

I have configured secure Hdfs and Hbase with Cloudera Manager to enable
Kerberos authorization for HDFS, hue and hbase.
I made sure REST API for WebHDFS is work successfully.
------------
[root@dhcp149216 ~]# kinit user01
Password for user01@mycompany.com:
[root@dhcp149216 ~]# curl --negotiate -u: -i "
http://dhcp149216:50070/webhdfs/v1/user/user01/samp.dat?op=open"
HTTP/1.1 401
Cache-Control: must-revalidate,no-cache,no-store
Date: Tue, 24 Sep 2013 02:20:10 GMT
Pragma: no-cache
Date: Tue, 24 Sep 2013 02:20:10 GMT
Pragma: no-cache
Content-Type: text/html; charset=iso-8859-1
WWW-Authenticate: Negotiate
Set-Cookie: hadoop.auth=;Path=/;Expires=Thu, 01-Jan-1970 00:00:00 GMT
Content-Length: 1378
Server: Jetty(6.1.26.cloudera.2)

HTTP/1.1 307 TEMPORARY_REDIRECT
Cache-Control: no-cache
Expires: Thu, 01-Jan-1970 00:00:00 GMT
Date: Tue, 24 Sep 2013 02:20:10 GMT
Pragma: no-cache
Date: Tue, 24 Sep 2013 02:20:10 GMT
Pragma: no-cache
Content-Type: application/octet-stream
Set-Cookie: hadoop.auth="u=user01&p=user01@mycompany.com
&t=kerberos&e=1380025210434&s=EHTlCLhBjb09oHHh8mSbapvPp6I=";Path=/
Location:
http://dhcp149216.a01.aist.go.jp:1006/webhdfs/v1/user/user01/samp.dat?op=OPEN&delegation=IAAGdXNlcjAxBnVzZXIwMQCKAUFNxEVOigFBcdDJTgcEFD1nBTkbkBcXKD5PIn8jpnn4g-goEldFQkhERlMgZGVsZWdhdGlvbhQxNTAuMjkuMTQ5LjIxNjo1MDA3MA&namenoderpcaddress=dhcp149216.a01.aist.go.jp:8020&offset=0
Content-Length: 0
Server: Jetty(6.1.26.cloudera.2)
------------

But, I found Kerberos Authentication of Hbase is not done while I access
to Hbase REST gateway.

----
[root@dhcp149216 ~]# kdestroy

[lili@dhcp149251 ~]$ curl http://dhcp149216:20550/table1/schema
{ NAME=> 'table1', IS_META => 'false', IS_ROOT => 'false', COLUMNS => [ {
NAME => 'column1', BLOCKSIZE => '65536', BLOOMFILTER => 'NONE',
MIN_VERSIONS => '0', KEEP_DELETED_CELLS => 'false', ENCODE_ON_DISK =>
'true', BLOCKCACHE => 'true', COMPRESSION => 'NONE', VERSIONS => '3',
REPLICATION_SCOPE => '0', TTL => '2147483647', DATA_BLOCK_ENCODING =>
'NONE', IN_MEMORY => 'false' } ] }[lili@dhcp149251 ~]$
[lili@dhcp149251 ~]$ curl -X DELETE http://dhcp149216:20550/table1/schema
[lili@dhcp149251 ~]$ curl -X PUT -H "Content-Type: application/json" -d
'{"@name":"table1", "ColumnSchema":[{"name":"column1"}]}'
http://dhcp149216:20550/table1/schema
[lili@dhcp149251 ~]$ curl http://dhcp149216:20550/table1/schema{ NAME=>
'table1', IS_META => 'false', IS_ROOT => 'false', COLUMNS => [ { NAME =>
'column1', BLOCKSIZE => '65536', BLOOMFILTER => 'NONE', MIN_VERSIONS =>
'0', KEEP_DELETED_CELLS => 'false', ENCODE_ON_DISK => 'true', BLOCKCACHE =>
'true', COMPRESSION => 'NONE', VERSIONS => '3', REPLICATION_SCOPE => '0',
TTL => '2147483647', DATA_BLOCK_ENCODING => 'NONE', IN_MEMORY => 'false' }
] }
------
Hbase was configured for Kerberos Authentication , but it can be accessd
by anyone from anywhere, Why ?

Please advice me how to access Hbase gateway with kerberos Authentication.

[image: 埋め込み画像 1]

Thanks,

Li Li

To unsubscribe from this group and stop receiving emails from it, send an email to scm-users+unsubscribe@cloudera.org.

Search Discussions

  • 李黎 at Sep 24, 2013 at 6:16 am
    Hi,

    I know it, but it don´t work at the environment configured by the Cloudera
    Manager.
    where is wrong?

    Thanks,

    Li Li


    2013/9/24 Vikram Srivastava <vikrams@cloudera.com>
    +cdh-user

    Added cdh-user where we can get more information for HBase. As per
    http://hbase.apache.org/book/security.html#d0e5338, it doesn't seem like
    HBase Rest server doesn't authentication for clients.

    On Mon, Sep 23, 2013 at 7:41 PM, 李黎 wrote:

    Hi,

    I have configured secure Hdfs and Hbase with Cloudera Manager to enable
    Kerberos authorization for HDFS, hue and hbase.
    I made sure REST API for WebHDFS is work successfully.
    ------------
    [root@dhcp149216 ~]# kinit user01
    Password for user01@mycompany.com:
    [root@dhcp149216 ~]# curl --negotiate -u: -i "
    http://dhcp149216:50070/webhdfs/v1/user/user01/samp.dat?op=open"
    HTTP/1.1 401
    Cache-Control: must-revalidate,no-cache,no-store
    Date: Tue, 24 Sep 2013 02:20:10 GMT
    Pragma: no-cache
    Date: Tue, 24 Sep 2013 02:20:10 GMT
    Pragma: no-cache
    Content-Type: text/html; charset=iso-8859-1
    WWW-Authenticate: Negotiate
    Set-Cookie: hadoop.auth=;Path=/;Expires=Thu, 01-Jan-1970 00:00:00 GMT
    Content-Length: 1378
    Server: Jetty(6.1.26.cloudera.2)

    HTTP/1.1 307 TEMPORARY_REDIRECT
    Cache-Control: no-cache
    Expires: Thu, 01-Jan-1970 00:00:00 GMT
    Date: Tue, 24 Sep 2013 02:20:10 GMT
    Pragma: no-cache
    Date: Tue, 24 Sep 2013 02:20:10 GMT
    Pragma: no-cache
    Content-Type: application/octet-stream
    Set-Cookie: hadoop.auth="u=user01&p=user01@mycompany.com
    &t=kerberos&e=1380025210434&s=EHTlCLhBjb09oHHh8mSbapvPp6I=";Path=/
    Location:
    http://dhcp149216.a01.aist.go.jp:1006/webhdfs/v1/user/user01/samp.dat?op=OPEN&delegation=IAAGdXNlcjAxBnVzZXIwMQCKAUFNxEVOigFBcdDJTgcEFD1nBTkbkBcXKD5PIn8jpnn4g-goEldFQkhERlMgZGVsZWdhdGlvbhQxNTAuMjkuMTQ5LjIxNjo1MDA3MA&namenoderpcaddress=dhcp149216.a01.aist.go.jp:8020&offset=0
    Content-Length: 0
    Server: Jetty(6.1.26.cloudera.2)
    ------------

    But, I found Kerberos Authentication of Hbase is not done while I access
    to Hbase REST gateway.

    ----
    [root@dhcp149216 ~]# kdestroy

    [lili@dhcp149251 ~]$ curl http://dhcp149216:20550/table1/schema
    { NAME=> 'table1', IS_META => 'false', IS_ROOT => 'false', COLUMNS => [ {
    NAME => 'column1', BLOCKSIZE => '65536', BLOOMFILTER => 'NONE',
    MIN_VERSIONS => '0', KEEP_DELETED_CELLS => 'false', ENCODE_ON_DISK =>
    'true', BLOCKCACHE => 'true', COMPRESSION => 'NONE', VERSIONS => '3',
    REPLICATION_SCOPE => '0', TTL => '2147483647', DATA_BLOCK_ENCODING =>
    'NONE', IN_MEMORY => 'false' } ] }[lili@dhcp149251 ~]$
    [lili@dhcp149251 ~]$ curl -X DELETE http://dhcp149216:20550/table1/schema
    [lili@dhcp149251 ~]$ curl -X PUT -H "Content-Type: application/json" -d
    '{"@name":"table1", "ColumnSchema":[{"name":"column1"}]}'
    http://dhcp149216:20550/table1/schema
    [lili@dhcp149251 ~]$ curl http://dhcp149216:20550/table1/schema{ NAME=>
    'table1', IS_META => 'false', IS_ROOT => 'false', COLUMNS => [ { NAME =>
    'column1', BLOCKSIZE => '65536', BLOOMFILTER => 'NONE', MIN_VERSIONS =>
    '0', KEEP_DELETED_CELLS => 'false', ENCODE_ON_DISK => 'true', BLOCKCACHE =>
    'true', COMPRESSION => 'NONE', VERSIONS => '3', REPLICATION_SCOPE => '0',
    TTL => '2147483647', DATA_BLOCK_ENCODING => 'NONE', IN_MEMORY => 'false'
    } ] }
    ------
    Hbase was configured for Kerberos Authentication , but it can be accessd
    by anyone from anywhere, Why ?

    Please advice me how to access Hbase gateway with kerberos Authentication.

    [image: 埋め込み画像 1]

    Thanks,

    Li Li



    To unsubscribe from this group and stop receiving emails from it, send
    an email to scm-users+unsubscribe@cloudera.org.
    To unsubscribe from this group and stop receiving emails from it, send an email to scm-users+unsubscribe@cloudera.org.
  • Vikram Srivastava at Sep 24, 2013 at 6:22 am
    Oops, sorry I meant "it doesn't seem like HBase Rest server does any
    authentication for clients"

    The link says "No authentication will be performed by the REST gateway
    itself."

    On Mon, Sep 23, 2013 at 11:15 PM, 李黎 wrote:

    Hi,

    I know it, but it don´t work at the environment configured by the
    Cloudera Manager.
    where is wrong?

    Thanks,

    Li Li


    2013/9/24 Vikram Srivastava <vikrams@cloudera.com>
    +cdh-user

    Added cdh-user where we can get more information for HBase. As per
    http://hbase.apache.org/book/security.html#d0e5338, it doesn't seem like
    HBase Rest server doesn't authentication for clients.

    On Mon, Sep 23, 2013 at 7:41 PM, 李黎 wrote:

    Hi,

    I have configured secure Hdfs and Hbase with Cloudera Manager to enable
    Kerberos authorization for HDFS, hue and hbase.
    I made sure REST API for WebHDFS is work successfully.
    ------------
    [root@dhcp149216 ~]# kinit user01
    Password for user01@mycompany.com:
    [root@dhcp149216 ~]# curl --negotiate -u: -i "
    http://dhcp149216:50070/webhdfs/v1/user/user01/samp.dat?op=open"
    HTTP/1.1 401
    Cache-Control: must-revalidate,no-cache,no-store
    Date: Tue, 24 Sep 2013 02:20:10 GMT
    Pragma: no-cache
    Date: Tue, 24 Sep 2013 02:20:10 GMT
    Pragma: no-cache
    Content-Type: text/html; charset=iso-8859-1
    WWW-Authenticate: Negotiate
    Set-Cookie: hadoop.auth=;Path=/;Expires=Thu, 01-Jan-1970 00:00:00 GMT
    Content-Length: 1378
    Server: Jetty(6.1.26.cloudera.2)

    HTTP/1.1 307 TEMPORARY_REDIRECT
    Cache-Control: no-cache
    Expires: Thu, 01-Jan-1970 00:00:00 GMT
    Date: Tue, 24 Sep 2013 02:20:10 GMT
    Pragma: no-cache
    Date: Tue, 24 Sep 2013 02:20:10 GMT
    Pragma: no-cache
    Content-Type: application/octet-stream
    Set-Cookie: hadoop.auth="u=user01&p=user01@mycompany.com
    &t=kerberos&e=1380025210434&s=EHTlCLhBjb09oHHh8mSbapvPp6I=";Path=/
    Location:
    http://dhcp149216.a01.aist.go.jp:1006/webhdfs/v1/user/user01/samp.dat?op=OPEN&delegation=IAAGdXNlcjAxBnVzZXIwMQCKAUFNxEVOigFBcdDJTgcEFD1nBTkbkBcXKD5PIn8jpnn4g-goEldFQkhERlMgZGVsZWdhdGlvbhQxNTAuMjkuMTQ5LjIxNjo1MDA3MA&namenoderpcaddress=dhcp149216.a01.aist.go.jp:8020&offset=0
    Content-Length: 0
    Server: Jetty(6.1.26.cloudera.2)
    ------------

    But, I found Kerberos Authentication of Hbase is not done while I access
    to Hbase REST gateway.

    ----
    [root@dhcp149216 ~]# kdestroy

    [lili@dhcp149251 ~]$ curl http://dhcp149216:20550/table1/schema
    { NAME=> 'table1', IS_META => 'false', IS_ROOT => 'false', COLUMNS => [
    { NAME => 'column1', BLOCKSIZE => '65536', BLOOMFILTER => 'NONE',
    MIN_VERSIONS => '0', KEEP_DELETED_CELLS => 'false', ENCODE_ON_DISK =>
    'true', BLOCKCACHE => 'true', COMPRESSION => 'NONE', VERSIONS => '3',
    REPLICATION_SCOPE => '0', TTL => '2147483647', DATA_BLOCK_ENCODING =>
    'NONE', IN_MEMORY => 'false' } ] }[lili@dhcp149251 ~]$
    [lili@dhcp149251 ~]$ curl -X DELETE
    http://dhcp149216:20550/table1/schema
    [lili@dhcp149251 ~]$ curl -X PUT -H "Content-Type: application/json" -d
    '{"@name":"table1", "ColumnSchema":[{"name":"column1"}]}'
    http://dhcp149216:20550/table1/schema
    [lili@dhcp149251 ~]$ curl http://dhcp149216:20550/table1/schema{ NAME=>
    'table1', IS_META => 'false', IS_ROOT => 'false', COLUMNS => [ { NAME =>
    'column1', BLOCKSIZE => '65536', BLOOMFILTER => 'NONE', MIN_VERSIONS =>
    '0', KEEP_DELETED_CELLS => 'false', ENCODE_ON_DISK => 'true', BLOCKCACHE =>
    'true', COMPRESSION => 'NONE', VERSIONS => '3', REPLICATION_SCOPE => '0',
    TTL => '2147483647', DATA_BLOCK_ENCODING => 'NONE', IN_MEMORY =>
    'false' } ] }
    ------
    Hbase was configured for Kerberos Authentication , but it can be
    accessd by anyone from anywhere, Why ?

    Please advice me how to access Hbase gateway with kerberos
    Authentication.

    [image: 埋め込み画像 1]

    Thanks,

    Li Li



    To unsubscribe from this group and stop receiving emails from it, send
    an email to scm-users+unsubscribe@cloudera.org.
    To unsubscribe from this group and stop receiving emails from it, send an email to scm-users+unsubscribe@cloudera.org.
  • 李黎 at Sep 24, 2013 at 7:26 am
    Hi,


    Please Tell me what kind of effect of Enable HBase authorization is ?

    [image: 埋め込み画像 1]



    Thanks,

    Li Li


    2013/9/24 Vikram Srivastava <vikrams@cloudera.com>
    Oops, sorry I meant "it doesn't seem like HBase Rest server does any
    authentication for clients"

    The link says "No authentication will be performed by the REST gateway
    itself."

    On Mon, Sep 23, 2013 at 11:15 PM, 李黎 wrote:

    Hi,

    I know it, but it don´t work at the environment configured by the
    Cloudera Manager.
    where is wrong?

    Thanks,

    Li Li


    2013/9/24 Vikram Srivastava <vikrams@cloudera.com>
    +cdh-user

    Added cdh-user where we can get more information for HBase. As per
    http://hbase.apache.org/book/security.html#d0e5338, it doesn't seem
    like HBase Rest server doesn't authentication for clients.

    On Mon, Sep 23, 2013 at 7:41 PM, 李黎 wrote:

    Hi,

    I have configured secure Hdfs and Hbase with Cloudera Manager to enable
    Kerberos authorization for HDFS, hue and hbase.
    I made sure REST API for WebHDFS is work successfully.
    ------------
    [root@dhcp149216 ~]# kinit user01
    Password for user01@mycompany.com:
    [root@dhcp149216 ~]# curl --negotiate -u: -i "
    http://dhcp149216:50070/webhdfs/v1/user/user01/samp.dat?op=open"
    HTTP/1.1 401
    Cache-Control: must-revalidate,no-cache,no-store
    Date: Tue, 24 Sep 2013 02:20:10 GMT
    Pragma: no-cache
    Date: Tue, 24 Sep 2013 02:20:10 GMT
    Pragma: no-cache
    Content-Type: text/html; charset=iso-8859-1
    WWW-Authenticate: Negotiate
    Set-Cookie: hadoop.auth=;Path=/;Expires=Thu, 01-Jan-1970 00:00:00 GMT
    Content-Length: 1378
    Server: Jetty(6.1.26.cloudera.2)

    HTTP/1.1 307 TEMPORARY_REDIRECT
    Cache-Control: no-cache
    Expires: Thu, 01-Jan-1970 00:00:00 GMT
    Date: Tue, 24 Sep 2013 02:20:10 GMT
    Pragma: no-cache
    Date: Tue, 24 Sep 2013 02:20:10 GMT
    Pragma: no-cache
    Content-Type: application/octet-stream
    Set-Cookie: hadoop.auth="u=user01&p=user01@mycompany.com
    &t=kerberos&e=1380025210434&s=EHTlCLhBjb09oHHh8mSbapvPp6I=";Path=/
    Location:
    http://dhcp149216.a01.aist.go.jp:1006/webhdfs/v1/user/user01/samp.dat?op=OPEN&delegation=IAAGdXNlcjAxBnVzZXIwMQCKAUFNxEVOigFBcdDJTgcEFD1nBTkbkBcXKD5PIn8jpnn4g-goEldFQkhERlMgZGVsZWdhdGlvbhQxNTAuMjkuMTQ5LjIxNjo1MDA3MA&namenoderpcaddress=dhcp149216.a01.aist.go.jp:8020&offset=0
    Content-Length: 0
    Server: Jetty(6.1.26.cloudera.2)
    ------------

    But, I found Kerberos Authentication of Hbase is not done while I
    access to Hbase REST gateway.

    ----
    [root@dhcp149216 ~]# kdestroy

    [lili@dhcp149251 ~]$ curl http://dhcp149216:20550/table1/schema
    { NAME=> 'table1', IS_META => 'false', IS_ROOT => 'false', COLUMNS => [
    { NAME => 'column1', BLOCKSIZE => '65536', BLOOMFILTER => 'NONE',
    MIN_VERSIONS => '0', KEEP_DELETED_CELLS => 'false', ENCODE_ON_DISK =>
    'true', BLOCKCACHE => 'true', COMPRESSION => 'NONE', VERSIONS => '3',
    REPLICATION_SCOPE => '0', TTL => '2147483647', DATA_BLOCK_ENCODING =>
    'NONE', IN_MEMORY => 'false' } ] }[lili@dhcp149251 ~]$
    [lili@dhcp149251 ~]$ curl -X DELETE
    http://dhcp149216:20550/table1/schema
    [lili@dhcp149251 ~]$ curl -X PUT -H "Content-Type: application/json"
    -d '{"@name":"table1", "ColumnSchema":[{"name":"column1"}]}'
    http://dhcp149216:20550/table1/schema
    [lili@dhcp149251 ~]$ curl http://dhcp149216:20550/table1/schema{NAME=> 'table1', IS_META => 'false', IS_ROOT => 'false', COLUMNS => [ {
    NAME => 'column1', BLOCKSIZE => '65536', BLOOMFILTER => 'NONE',
    MIN_VERSIONS => '0', KEEP_DELETED_CELLS => 'false', ENCODE_ON_DISK =>
    'true', BLOCKCACHE => 'true', COMPRESSION => 'NONE', VERSIONS => '3',
    REPLICATION_SCOPE => '0', TTL => '2147483647', DATA_BLOCK_ENCODING =>
    'NONE', IN_MEMORY => 'false' } ] }
    ------
    Hbase was configured for Kerberos Authentication , but it can be
    accessd by anyone from anywhere, Why ?

    Please advice me how to access Hbase gateway with kerberos
    Authentication.

    [image: 埋め込み画像 1]

    Thanks,

    Li Li



    To unsubscribe from this group and stop receiving emails from it, send
    an email to scm-users+unsubscribe@cloudera.org.
    To unsubscribe from this group and stop receiving emails from it, send an email to scm-users+unsubscribe@cloudera.org.
  • 李黎 at Sep 24, 2013 at 8:11 am
    Hi,

    It´s said The REST interface can be set
    up<http://hbase.apache.org/book/security.html#d2163e4324>to use a
    Kerberos credential to increase security.

    http://blog.cloudera.com/blog/2013/03/how-to-use-the-apache-hbase-rest-interface-part-1/

    Thanks,

    Li Li


    2013/9/24 Vikram Srivastava <vikrams@cloudera.com>
    Oops, sorry I meant "it doesn't seem like HBase Rest server does any
    authentication for clients"

    The link says "No authentication will be performed by the REST gateway
    itself."

    On Mon, Sep 23, 2013 at 11:15 PM, 李黎 wrote:

    Hi,

    I know it, but it don´t work at the environment configured by the
    Cloudera Manager.
    where is wrong?

    Thanks,

    Li Li


    2013/9/24 Vikram Srivastava <vikrams@cloudera.com>
    +cdh-user

    Added cdh-user where we can get more information for HBase. As per
    http://hbase.apache.org/book/security.html#d0e5338, it doesn't seem
    like HBase Rest server doesn't authentication for clients.

    On Mon, Sep 23, 2013 at 7:41 PM, 李黎 wrote:

    Hi,

    I have configured secure Hdfs and Hbase with Cloudera Manager to enable
    Kerberos authorization for HDFS, hue and hbase.
    I made sure REST API for WebHDFS is work successfully.
    ------------
    [root@dhcp149216 ~]# kinit user01
    Password for user01@mycompany.com:
    [root@dhcp149216 ~]# curl --negotiate -u: -i "
    http://dhcp149216:50070/webhdfs/v1/user/user01/samp.dat?op=open"
    HTTP/1.1 401
    Cache-Control: must-revalidate,no-cache,no-store
    Date: Tue, 24 Sep 2013 02:20:10 GMT
    Pragma: no-cache
    Date: Tue, 24 Sep 2013 02:20:10 GMT
    Pragma: no-cache
    Content-Type: text/html; charset=iso-8859-1
    WWW-Authenticate: Negotiate
    Set-Cookie: hadoop.auth=;Path=/;Expires=Thu, 01-Jan-1970 00:00:00 GMT
    Content-Length: 1378
    Server: Jetty(6.1.26.cloudera.2)

    HTTP/1.1 307 TEMPORARY_REDIRECT
    Cache-Control: no-cache
    Expires: Thu, 01-Jan-1970 00:00:00 GMT
    Date: Tue, 24 Sep 2013 02:20:10 GMT
    Pragma: no-cache
    Date: Tue, 24 Sep 2013 02:20:10 GMT
    Pragma: no-cache
    Content-Type: application/octet-stream
    Set-Cookie: hadoop.auth="u=user01&p=user01@mycompany.com
    &t=kerberos&e=1380025210434&s=EHTlCLhBjb09oHHh8mSbapvPp6I=";Path=/
    Location:
    http://dhcp149216.a01.aist.go.jp:1006/webhdfs/v1/user/user01/samp.dat?op=OPEN&delegation=IAAGdXNlcjAxBnVzZXIwMQCKAUFNxEVOigFBcdDJTgcEFD1nBTkbkBcXKD5PIn8jpnn4g-goEldFQkhERlMgZGVsZWdhdGlvbhQxNTAuMjkuMTQ5LjIxNjo1MDA3MA&namenoderpcaddress=dhcp149216.a01.aist.go.jp:8020&offset=0
    Content-Length: 0
    Server: Jetty(6.1.26.cloudera.2)
    ------------

    But, I found Kerberos Authentication of Hbase is not done while I
    access to Hbase REST gateway.

    ----
    [root@dhcp149216 ~]# kdestroy

    [lili@dhcp149251 ~]$ curl http://dhcp149216:20550/table1/schema
    { NAME=> 'table1', IS_META => 'false', IS_ROOT => 'false', COLUMNS => [
    { NAME => 'column1', BLOCKSIZE => '65536', BLOOMFILTER => 'NONE',
    MIN_VERSIONS => '0', KEEP_DELETED_CELLS => 'false', ENCODE_ON_DISK =>
    'true', BLOCKCACHE => 'true', COMPRESSION => 'NONE', VERSIONS => '3',
    REPLICATION_SCOPE => '0', TTL => '2147483647', DATA_BLOCK_ENCODING =>
    'NONE', IN_MEMORY => 'false' } ] }[lili@dhcp149251 ~]$
    [lili@dhcp149251 ~]$ curl -X DELETE
    http://dhcp149216:20550/table1/schema
    [lili@dhcp149251 ~]$ curl -X PUT -H "Content-Type: application/json"
    -d '{"@name":"table1", "ColumnSchema":[{"name":"column1"}]}'
    http://dhcp149216:20550/table1/schema
    [lili@dhcp149251 ~]$ curl http://dhcp149216:20550/table1/schema{NAME=> 'table1', IS_META => 'false', IS_ROOT => 'false', COLUMNS => [ {
    NAME => 'column1', BLOCKSIZE => '65536', BLOOMFILTER => 'NONE',
    MIN_VERSIONS => '0', KEEP_DELETED_CELLS => 'false', ENCODE_ON_DISK =>
    'true', BLOCKCACHE => 'true', COMPRESSION => 'NONE', VERSIONS => '3',
    REPLICATION_SCOPE => '0', TTL => '2147483647', DATA_BLOCK_ENCODING =>
    'NONE', IN_MEMORY => 'false' } ] }
    ------
    Hbase was configured for Kerberos Authentication , but it can be
    accessd by anyone from anywhere, Why ?

    Please advice me how to access Hbase gateway with kerberos
    Authentication.

    [image: 埋め込み画像 1]

    Thanks,

    Li Li



    To unsubscribe from this group and stop receiving emails from it, send
    an email to scm-users+unsubscribe@cloudera.org.
    To unsubscribe from this group and stop receiving emails from it, send an email to scm-users+unsubscribe@cloudera.org.
  • Romain Rigaux at Sep 24, 2013 at 8:49 pm
    AFAIK, the kerberos works only between the REST/Thrift server gateways and
    HBase, not between the user client and the REST/Thrift server gateways.

    We have the same problem in the Hue HBase app, we can't use security.

    Romain

    On Tue, Sep 24, 2013 at 1:10 AM, 李黎 wrote:

    Hi,

    It´s said The REST interface can be set up<http://hbase.apache.org/book/security.html#d2163e4324>to use a Kerberos credential to increase security.


    http://blog.cloudera.com/blog/2013/03/how-to-use-the-apache-hbase-rest-interface-part-1/

    Thanks,

    Li Li


    2013/9/24 Vikram Srivastava <vikrams@cloudera.com>
    Oops, sorry I meant "it doesn't seem like HBase Rest server does any
    authentication for clients"

    The link says "No authentication will be performed by the REST gateway
    itself."

    On Mon, Sep 23, 2013 at 11:15 PM, 李黎 wrote:

    Hi,

    I know it, but it don´t work at the environment configured by the
    Cloudera Manager.
    where is wrong?

    Thanks,

    Li Li


    2013/9/24 Vikram Srivastava <vikrams@cloudera.com>
    +cdh-user

    Added cdh-user where we can get more information for HBase. As per
    http://hbase.apache.org/book/security.html#d0e5338, it doesn't seem
    like HBase Rest server doesn't authentication for clients.

    On Mon, Sep 23, 2013 at 7:41 PM, 李黎 wrote:

    Hi,

    I have configured secure Hdfs and Hbase with Cloudera Manager to
    enable Kerberos authorization for HDFS, hue and hbase.
    I made sure REST API for WebHDFS is work successfully.
    ------------
    [root@dhcp149216 ~]# kinit user01
    Password for user01@mycompany.com:
    [root@dhcp149216 ~]# curl --negotiate -u: -i "
    http://dhcp149216:50070/webhdfs/v1/user/user01/samp.dat?op=open"
    HTTP/1.1 401
    Cache-Control: must-revalidate,no-cache,no-store
    Date: Tue, 24 Sep 2013 02:20:10 GMT
    Pragma: no-cache
    Date: Tue, 24 Sep 2013 02:20:10 GMT
    Pragma: no-cache
    Content-Type: text/html; charset=iso-8859-1
    WWW-Authenticate: Negotiate
    Set-Cookie: hadoop.auth=;Path=/;Expires=Thu, 01-Jan-1970 00:00:00 GMT
    Content-Length: 1378
    Server: Jetty(6.1.26.cloudera.2)

    HTTP/1.1 307 TEMPORARY_REDIRECT
    Cache-Control: no-cache
    Expires: Thu, 01-Jan-1970 00:00:00 GMT
    Date: Tue, 24 Sep 2013 02:20:10 GMT
    Pragma: no-cache
    Date: Tue, 24 Sep 2013 02:20:10 GMT
    Pragma: no-cache
    Content-Type: application/octet-stream
    Set-Cookie: hadoop.auth="u=user01&p=user01@mycompany.com
    &t=kerberos&e=1380025210434&s=EHTlCLhBjb09oHHh8mSbapvPp6I=";Path=/
    Location:
    http://dhcp149216.a01.aist.go.jp:1006/webhdfs/v1/user/user01/samp.dat?op=OPEN&delegation=IAAGdXNlcjAxBnVzZXIwMQCKAUFNxEVOigFBcdDJTgcEFD1nBTkbkBcXKD5PIn8jpnn4g-goEldFQkhERlMgZGVsZWdhdGlvbhQxNTAuMjkuMTQ5LjIxNjo1MDA3MA&namenoderpcaddress=dhcp149216.a01.aist.go.jp:8020&offset=0
    Content-Length: 0
    Server: Jetty(6.1.26.cloudera.2)
    ------------

    But, I found Kerberos Authentication of Hbase is not done while I
    access to Hbase REST gateway.

    ----
    [root@dhcp149216 ~]# kdestroy

    [lili@dhcp149251 ~]$ curl http://dhcp149216:20550/table1/schema
    { NAME=> 'table1', IS_META => 'false', IS_ROOT => 'false', COLUMNS =>
    [ { NAME => 'column1', BLOCKSIZE => '65536', BLOOMFILTER => 'NONE',
    MIN_VERSIONS => '0', KEEP_DELETED_CELLS => 'false', ENCODE_ON_DISK =>
    'true', BLOCKCACHE => 'true', COMPRESSION => 'NONE', VERSIONS => '3',
    REPLICATION_SCOPE => '0', TTL => '2147483647', DATA_BLOCK_ENCODING =>
    'NONE', IN_MEMORY => 'false' } ] }[lili@dhcp149251 ~]$
    [lili@dhcp149251 ~]$ curl -X DELETE
    http://dhcp149216:20550/table1/schema
    [lili@dhcp149251 ~]$ curl -X PUT -H "Content-Type: application/json"
    -d '{"@name":"table1", "ColumnSchema":[{"name":"column1"}]}'
    http://dhcp149216:20550/table1/schema
    [lili@dhcp149251 ~]$ curl http://dhcp149216:20550/table1/schema{NAME=> 'table1', IS_META => 'false', IS_ROOT => 'false', COLUMNS => [ {
    NAME => 'column1', BLOCKSIZE => '65536', BLOOMFILTER => 'NONE',
    MIN_VERSIONS => '0', KEEP_DELETED_CELLS => 'false', ENCODE_ON_DISK =>
    'true', BLOCKCACHE => 'true', COMPRESSION => 'NONE', VERSIONS => '3',
    REPLICATION_SCOPE => '0', TTL => '2147483647', DATA_BLOCK_ENCODING =>
    'NONE', IN_MEMORY => 'false' } ] }
    ------
    Hbase was configured for Kerberos Authentication , but it can be
    accessd by anyone from anywhere, Why ?

    Please advice me how to access Hbase gateway with kerberos
    Authentication.

    [image: 埋め込み画像 1]

    Thanks,

    Li Li



    To unsubscribe from this group and stop receiving emails from it,
    send an email to scm-users+unsubscribe@cloudera.org.
    To unsubscribe from this group and stop receiving emails from it, send an
    email to scm-users+unsubscribe@cloudera.org.
    To unsubscribe from this group and stop receiving emails from it, send an email to scm-users+unsubscribe@cloudera.org.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupscm-users @
categorieshadoop
postedSep 24, '13 at 2:41a
activeSep 24, '13 at 8:49p
posts6
users3
websitecloudera.com
irc#hadoop

People

Translate

site design / logo © 2022 Grokbase