-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement OPA compatible authorizer #488
Open
12 of 14 tasks
soenkeliebau opened this issue
Apr 15, 2024
· 0 comments
· May be fixed by stackabletech/hbase-opa-authorizer#1
Open
12 of 14 tasks
Implement OPA compatible authorizer #488
soenkeliebau opened this issue
Apr 15, 2024
· 0 comments
· May be fixed by stackabletech/hbase-opa-authorizer#1
Labels
Comments
soenkeliebau
changed the title
Implement authorizer
Implement OPA compatible authorizer
Apr 15, 2024
This was referenced Jun 4, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
As a user I want to be able to use OPA/Rego rules as the basis of authorization checks in HBase.
Background
HBase uses a coprocessor - AccessController - which, when configured, invokes a Hadoop Group mapper to collect user/group information. This is used in conjunction with Zookeeper to filter data in HBase. This would mean that the implementation steps would be:
hbase.security.authorization
totrue
in the site configProblem
We do not actually use the StackableGroupMapper by default, as it has limitiations:
Instead, we have implemented
public class StackableAccessControlEnforcer implements INodeAttributeProvider.AccessControlEnforcer
which bypasses the group mappings entirely and uses rego rules exclusively.Possible approaches
Recommended approach
Implementation questions
hbase.security.authorization=false
) so that other users of AccessChecker will allow everything, and then use our own setting (e.g.hbase.opa.authorization=true
) to activate our own calls to the opa server. What are the sideaffects of this?Update following initial efforts
Tasks
The text was updated successfully, but these errors were encountered: