Hi @hbased; It is a bug. There is a jira for the issue and apparently it was resolved in version 3.0.0. This is the apache hbase site - not necessarily your distro version. Cloudera say the issue is resolved in 3.1.4. We have raised a support ticket with Cloudera and they are patching our current distro version of hbase and providing us with a new binary. Here's the jira ref. https://issues.apache.org/jira/browse/HBASE-21960 All the best
... View more
Hi @elserj while broadly agreeing with the principle of what you are saying, I would amend your earlier comment: "Without enabling Kerberos authentication for HBase, any authorization checks you make are pointless." Knox, in fact offers a HeaderPreAuth Provider for pre-authenticated use cases. It is another matter that it is half baked as far as user groups are concerned. Without belabouring the point any further, impersonation is for users who are not authenticated and so need to piggy back on an authenticated super user. The permissions and ACL still have to be granted to such pre-authenticated users for the resources that they need. It is not the permission and ACL of the super user that is (or should be) utilized for authorization checks for the real user. If the perimeter security provides strong authentication, there should not be a need to further authenticate the same user and too via Krb. Many a resources time is wasted by documentation and commentary recommending this route.
... View more