accumulo-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Josh Elser (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (ACCUMULO-3568) getDiskUsage server implementation recreates Connector from user credentials
Date Wed, 11 Feb 2015 00:52:11 GMT

     [ https://issues.apache.org/jira/browse/ACCUMULO-3568?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Josh Elser updated ACCUMULO-3568:
---------------------------------
    Description: 
The server-side impl for {{TableOperationsImpl.getDiskUsage}} pulls the credentials from the
RPC and makes a {{Connector}} from them instead of using its own credentials. With Kerberos
enabled, this results in the server "accumulo/hostname@REALM" trying to act as "user@REALM"
which (correctly) fails.

The getDiskUsage implementation should use its own Connector (using the SystemToken from the
ServerContext), perform the correct security checks for permissions and act on behalf of the
user instead of trying to *be* the user.

  was:{{TableOperationsImpl.getDiskUsage}} uses the {{ServerClient}} class which is meant
for Accumulo services to use to communicate with each other. This results in the authentication
performed for this method being performed (incorrectly) as the system instead of the client.


> getDiskUsage server implementation recreates Connector from user credentials
> ----------------------------------------------------------------------------
>
>                 Key: ACCUMULO-3568
>                 URL: https://issues.apache.org/jira/browse/ACCUMULO-3568
>             Project: Accumulo
>          Issue Type: Bug
>          Components: shell
>         Environment: kerberos
>            Reporter: Josh Elser
>            Assignee: Josh Elser
>            Priority: Critical
>             Fix For: 1.7.0
>
>
> The server-side impl for {{TableOperationsImpl.getDiskUsage}} pulls the credentials from
the RPC and makes a {{Connector}} from them instead of using its own credentials. With Kerberos
enabled, this results in the server "accumulo/hostname@REALM" trying to act as "user@REALM"
which (correctly) fails.
> The getDiskUsage implementation should use its own Connector (using the SystemToken from
the ServerContext), perform the correct security checks for permissions and act on behalf
of the user instead of trying to *be* the user.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message