hbase-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Josh Elser <els...@apache.org>
Subject Re: HBase Thrift - HTTP - Kerberos & SPNEGO
Date Thu, 11 Jan 2018 15:50:37 GMT
Hey Kevin!

Looks like you got some good changes in here.

IMO, the HBase Thrift2 "implementation" makes more sense to me (I'm sure 
there was a reason for having HTTP be involved at one point, but Thrift 
today has the ability to do all of this RPC work for us). I'm not sure 
what the HBase API implementations look like between the two versions.

If you'd like to open up a JIRA and throw up a patch, you'd definitely 
have my attention if no one else's :)

On 1/11/18 9:31 AM, Kevin Risden wrote:
> I'm not 100% sure this should be posted to user list, but starting here
> before dev list/JIRA.
> I've been working on setting up the Hue HBase and it requires HBase Thrift
> v1 server. To support impersonation/proxyuser, the documentation states
> that this must be done with HTTP and not binary mode. The cluster has
> Kerberos and so the final setup ends up being HBase Thrift in HTTP mode
> with Kerberos.
> While setting up the HBase Thrift server with HTTP, there were a
> significant amount of 401 errors where the HBase Thrift wasn't able to
> handle the incoming Kerberos request. Documentation online is sparse when
> it comes to setting up the principal/keytab for HTTP Kerberos.
> I noticed that the HBase Thrift HTTP implementation was missing SPNEGO
> principal/keytab like other Thrift based servers (HiveServer2). It looks
> like HiveServer2 Thrift implementation and HBase Thrift v1 implementation
> were very close to the same at one point. I made the following changes to
> HBase Thrift v1 server implementation to make it work:
> * add SPNEGO principal/keytab if in HTTP mode
> * return 401 immediately if no authorization header instead of waiting for
> try/catch down in program flow
> The code changes are available here:
> https://github.com/risdenk/hortonworks-hbase-release/compare/HDP-
> Does this seem like the right approach?
> The same types of changes should apply to master as well. If this looks
> reasonable, I can create a JIRA and generate patch against Apache HBase
> master.
> Side note: I saw the notes about HBase Thrift v1 was meant to go away at
> some point but looks like it is still being depended on.
> Kevin Risden

View raw message