Scenario: Hadoop not kerberized (does not matter even if it were - read below).   We have a setup where users from external partners are authenticated via federated security (OAuth) to access our system (Custom UI, Hadoop/HBase). The groups of the user are granted permissions to HBase tables (R) and cells (HBase cell-level security using visibility tags).   These users do not have a local unix account and no Krb keytab. They are pre-authenticated as above and our system gets their JWT, which contains their group claims, as a consequence.   We have tried HBase impersonation over HBase REST and Thrift. We can pass in the user's id or group and HBase applies the access and visibility controls. HBase does not care what entity (user or group) the doAs represents.   However, when the visibility of cells can be resolved by more than one group of a user, there is no way that HBase impersonation would work in our case.   Going over the HBase config and impersonation documentation, it is clear that impersonation implies that the user to be impersonated either has a local account with group memberships on the OS or has a keytab. Clearly undesirable in our scenario.   I see this as a BIG gap in HBase authorization model. Is there a way out? ... View more

Using HDP 3.0.0 bundle which has Hadoop 3.1.0 and HBase 2.0.0.3.0 (Version 2, Alpha release-3; Why??). Ambari is used to manage the setup.   We are trying to achieve user impersonation using Rest proxy in an unsecured and then secured setup. Tried it via code (UGI and doAs() as here, https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/Superusers.html, but for HBase). All of these fail and return the data, which has visibility tags attached, for the super user (hbase). That is, all data.   Rest proxy path: curl -> Knox -> HBase REST Gateway -> HBase   In a secured setup, Knox authenticates as knox principal to Gateway, Gateway authenticates to HBase as 'hbase' (tried 'HTTP' user as well) and HBase authenticates as 'hbase'.   The users to be impersonated are ldap authenticated at Knox using the Shiro authentication provider and a default identity assertion provider maps the logged in user to the ?doAs query param passed in the call to HBase Rest Gateway.   The logged in users have 'R' permission granted to the table being queried. One user has auth set for the visibility tags against some fields. Second user is not authorized against the visibility tags.   However, all data is returned from the table always as if the superuser is executing the table query, not the real user impersonated by the superuser as expected.   The required config properties for hadoop.proxyuser and the hbase.security (both authn and authz) are specified in the hbase site xml (tried on the HDFS core site xml as well). Config is matching as specified here -> https://community.cloudera.com/t5/Support-Questions/Hbase-rest-proxying/m-p/150395   Towards the end, i've just left this config in:  hbase.rest.support.proxyuser: true. And deleted the rest of config that is required to satisfy the proxy auth check for the superuser. Got no errors. Worked merrily as before. Similarly, i've left half config in and removed others hoping the proxy auth check would fail. Again no effect.   On my eyeballs widening on seeing HBase version 2, Alpha Rel-3 packaged in HDP 3.0.0, i've narrowed down to it being the culprit. I've proposed installing HDP 3.1.0 which has HDFS 3.1.1 and HBase 2.0.2. Will take it for a spin once sys admin spit it out.   My question is why did HDP 3.0.0 bake in an Alpha release of HBase?   Secondly, what else should i look at to make user impersonation work (remember i've tried impersonation via Rest path as well as code in secured as well as unsecured Hadoop)? ... View more