Whether "pinpoint" supports kerberos setting

pinpoint-apm / pinpoint

APM, (Application Performance Management) tool for large-scale distributed systems.

https://pinpoint-apm.gitbook.io/

Apache License 2.0

13.29k stars 3.75k forks source link

Whether "pinpoint" supports kerberos setting #7837

Open hsohans opened 3 years ago

hsohans commented 3 years ago

Hi, I have a question.

For security reasons, I want to configure kerberos on Hbase or Hadoop.

"We don't support setting kerberos in 2018." Is it the same now?

The link I checked is "https://github.com/pinpoint-apm/pinpoint/issues/3737".

Please answer about my question.

minwoo-jung commented 3 years ago

Hello @hsohans

Kerberos can be configured at pinpoint.

Inherit the HbaseSecurityInterceptor interface, Implement the code for kerberos access. And the implemented class must be registered as a bean object.

The process method of the HbaseSecurityInterceptor class is called when establishing a connection with hbase.

https://github.com/pinpoint-apm/pinpoint/blob/379d312447eddd57439e50350fe01652aec3898b/commons-hbase/src/main/java/com/navercorp/pinpoint/common/hbase/ConnectionFactoryBean.java#L71

There is a sample code link.

hsohans commented 3 years ago

@minwoo-jung

thank you for telling me.

I'll apply it after checking that part.

eubnara commented 1 year ago

@minwoo-jung How about upgrading hbase-shaded-client version? Since HBase >= 2.2.0, hbase client supports client login via keytab. Pinpoint uses ConnectionFactory.createConnection already. However, it uses hbase-shaded-client 1.7.2. If it uses hbase-shaded-client >= 2.2.0, I think Pinpoint users can access kerberized HBase cluster also with following configurations.

<property>
<name>hbase.security.authentication</name>
<value>kerberos</value>
</property>

<property>
  <name>hbase.client.keytab.file</name>
  <value>/local/path/to/client/keytab</value>
</property>

<property>
  <name>hbase.client.keytab.principal</name>
  <value>foo@EXAMPLE.COM</value>
</property>

minwoo-jung commented 1 year ago

@eubnara Hi I will check your comment.

minwoo-jung commented 1 year ago

@eubnara From what you said, it looks like you only need to upgrade the hbase version. We already provide a hbase2-module using hbase-client version 2.4.11. I think you can use this module. What do you think?

minwoo-jung commented 1 year ago

@eubnara In addition, we will end support for hbase 1.X soon. So, in the future, only the hbase 2.X version will be officially supported, and the hbase client version will also be set to use the 2.X version by default.

eubnara commented 1 year ago

Thanks for reply! I'll try to use hbase2 module first to access kerberized hbase.

eubnara commented 1 year ago

My teammate has been succeeded to connect kerberized hbase with hbase-site.xml added in classpath with configurations as follows: (according to hbase guide: https://hbase.apache.org/book.html#_client_side_configuration_for_secure_operation)

hbase.client.keytab.file
hbase.client.keytab.principal

minwoo-jung commented 1 year ago

@eubnara Thanks for sharing your results. It will be very helpful for users.

eubnara commented 12 months ago

I have one suggestion. How about upgrading hbase2.client.version >= 2.5.0 to support hbase.unsafe.client.kerberos.hostname.disable.reversedns? (https://issues.apache.org/jira/browse/HBASE-25665) In k8s cluster environment, it is needed to disable reverse DNS lookup for some cases.

emeroad commented 12 months ago

@eubnara That's good info. We will upgrade the version to hbase client 2.5.x.