Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Use Federated security authenticated user in HBase impersonation

Highlighted

Use Federated security authenticated user in HBase impersonation

Explorer

Scenario: Hadoop not kerberized (does not matter even if it were - read below).

 

We have a setup where users from external partners are authenticated via federated security (OAuth) to access our system (Custom UI, Hadoop/HBase). The groups of the user are granted permissions to HBase tables (R) and cells (HBase cell-level security using visibility tags).

 

These users do not have a local unix account and no Krb keytab. They are pre-authenticated as above and our system gets their JWT, which contains their group claims, as a consequence.

 

We have tried HBase impersonation over HBase REST and Thrift. We can pass in the user's id or group and HBase applies the access and visibility controls. HBase does not care what entity (user or group) the doAs represents.

 

However, when the visibility of cells can be resolved by more than one group of a user, there is no way that HBase impersonation would work in our case.

 

Going over the HBase config and impersonation documentation, it is clear that impersonation implies that the user to be impersonated either has a local account with group memberships on the OS or has a keytab. Clearly undesirable in our scenario.

 

I see this as a BIG gap in HBase authorization model. Is there a way out?

1 REPLY 1

Re: Use Federated security authenticated user in HBase impersonation

New Contributor

Hi,

 

Were you able to check if Knox has any kind of configuration who is able to get the Federated Identity?