Blog do projektu Open Source JavaHotel

niedziela, 4 sierpnia 2019

HDP 3.1, HBase REST API, security gap

Problem
I found a nasty problem with HDP 3.1 which cost me several sleepless nights. There is a security gap in HBase REST API. The HBase REST API service does not impersonate users and all HBase commands are executed as hbase user. The same behaviour is passed to Knox HBase. It means that any user having access to HBase REST API or Knox Gateway HBase is authorized to do any action bypassing any security settings in Ranger or HBase service directly.
Solution
The only solution I found was to compile the current version of HBase downloaded from GitHub and replace the legacy hbase-rest jar with the new one.

Clone GitHub repository and build the packages
git clone https://github.com/apache/hbase.git -b branch-2.0
cd hbase
mvn package -DskipTests

As root user
cd /usr/hdp/3.1.0.0-78/hbase/lib

Archive existing jar
mkdir arch
mv mv hbase-rest-2.0.2.3.1.0.0-78.jar arch/
unlink hbase-rest.jar

Replace with the new one
ln -s /home/hbase/hbase/hbase-rest/target/hbase-rest-2.0.6-SNAPSHOT.jar hbase-rest.jar

Restart HBase REST API server.

Brak komentarzy:

Prześlij komentarz