I'm actually trying to make some custom security setups in a HDP cluster (not Kerberized). The use case is hbase and kafka must implement authorization but wihthout using kerberos. Only human mistakes must be avoided, so there's no reason for passwords. All in Java.
Of course there's no authorization without authentication (which is where Kerberos does its job). I was able to implement authorization on Kafka brokers (this one, even on a kerberized cluster, the brokers can be configured to change from GSSAPI
to PLAIN
), making my own implementation of a LoginModule
that just reads a Jaas file:
KafkaClient
{
my.package.project.authentication.NamePlateLoginModule required
username=stuckuvurfluw;
};
Yes I know, a dummy authentication =). As I said, there's no need to secure data, just avoid human mistakes. So, on KafkaBrokers, I just needed to make some changes to the properties in order to change the behaviour and expect PLAIN
authentication. Setting up kafka acls
to allow only stuckuvurfluw user was made the same old way:
bin/kafka-acls.sh (..) --add --allow-permissions User:stuckuvurfluw (...)
One done.. But oh Hbase. I am not able to find any way to setup authentication without using Kerberos. No property value found for hbase-site.xml
or other configuration properties on client side.
The question is, is there anyway, or some other implementation other than Kerberos, in which I can base my own "Dummy" implementation, similar to the one made for Kafka? Thanks in advance! : )
I guess this helps:
There's no way.
A valuable comment from Samson Scharfrichter:
Speaking about Hadoop in general, the SIMPLE authentication mode does ensure that "Only human mistakes must be avoided" > client identity is guessed on client side from (a) env variable
HADOOP_USER_NAME
and (b) failing that, the current Linux or Windows session user as reported by the JVM. If HBase supports ACLs in SIMPLE mode (like HDFS does) then you've got your "dummy" authentication/authorization out of the box...