0

We are connecting to BigTable using HBase API and we are using the hbase-site.xml. Is there any way we can use impersonation using HBase API to connect to BigTable?

<configuration  xmlns:xi="http://www.w3.org/2001/XInclude">
    <property>
        <name>hbase.client.connection.impl</name>
        <value>com.google.cloud.bigtable.hbase1_x.BigtableConnection</value>
    </property>
    <property>
        <name>google.bigtable.project.id</name>
        <value></value>
    </property>
    <property>
        <name>google.bigtable.instance.id</name>
    <value></value>
    </property>
    <property>
        <name>google.bigtable.auth.json.keyfile</name>
        <value></value>
    </property>
</configuration>

The source code (bigtable implementation using HBase API i.e com.google.cloud.bigtable.hbase1_x.BigtableConnection)doesn't have any functionality related to using impersonation. https://github.com/googleapis/java-bigtable-hbase

Ranga Vure
  • 1,922
  • 3
  • 16
  • 23
  • On which environment do you need to use impersonation? Is it on your local environment? In production? On GCP? – guillaume blaquiere Dec 08 '21 at 12:34
  • Need to use, in prod, but this component/code doesn't run in GCP compute engine, it will be from on-premise. – Ranga Vure Dec 09 '21 at 06:31
  • 1
    So, why do you need impersonation? What's your use case? – guillaume blaquiere Dec 09 '21 at 08:25
  • Impersonation is used in GCP and with the IAM policies etc defined in organizations. In this case, i am referring to having credentials key json but this doesn't have permissions to write but you can be able to impersonate to different service account which has permissions to write but this service account key is not given to you . Kind of sudo permissions. – Ranga Vure Dec 20 '21 at 16:17

2 Answers2

0

About User Impersonation in Hbase, it appears that it is supported through the user of an Apache Thrift server, which I think acts a bit like an upstream proxy. Per the comments in the post here, it is stated that CBT does support thrift with this provided example (note this should be set up on a GCE instance). This additional guide shows the process of setting up this gateway and using it for requests coming from App Engine. If I misunderstood your intention, you can come back with additional details on your use-case, so that I could work on your question.

Priyashree Bhadra
  • 3,182
  • 6
  • 23
  • 1
    The issue is not about impersonating user in HBase, but impersonating a user in BigTable when using HBase API. For example, you have api, with HBase implementation which reads/writes and when your project is moving to migrate to BigTable, the same code HBase API should work as BigTable supports HBase API. – Ranga Vure Dec 20 '21 at 16:11
0

We didn't anyway to configure the impersonated user in hbase-site.xml as in the source code of this didn't find any param for this https://github.com/googleapis/java-bigtable-hbase

The best way, we can impersonate using HBase API when connecting to BigTable is create BigTable connection using impersonation and use that connection object in the existing HBase API implementation. Here is the code snippet for getting the connection

public org.apache.hadoop.hbase.client.Connection getConnection() throws Exception{
        Credentials credentials = GoogleCredentials.fromStream(new FileInputStream("credentials_key.json"));
        ImpersonatedCredentials targetCredentials = ImpersonatedCredentials.create((GoogleCredentials) credentials,
                "your-service-account@gcp-test-project.iam.gserviceaccount.com", null,
                Arrays.asList("https://www.googleapis.com/auth/bigtable.data"), 3600);
        // use your gcp project name and bigtable instance name
        Configuration config = BigtableConfiguration.configure("gcp-test-project", "big-table-instance"); 
        BigtableConfiguration.withCredentials(config,(Credentials)targetCredentials);
        Connection connection = BigtableConfiguration.connect(config);
        return connection;
    }

Using this approach, with minimal changes, one can use existing api/implementations using HBase API to connect to BigTable and can impersonate. Please note that if impersonation is not required (the json key account you are using has the permissions to read/write), then there will not be any changes required for your existing code base. ref https://cloud.google.com/bigtable/docs/hbase-bigtable

Ranga Vure
  • 1,922
  • 3
  • 16
  • 23