ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Levas" <rle...@hortonworks.com>
Subject Re: Review Request 34408: When Kerberizing a cluster with Ranger HBase plugin enabled, HBase coprocessor properties in hbase-site are overwritten (and breaks Ranger HBase plugin)
Date Tue, 19 May 2015 14:13:27 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/34408/#review84312
-----------------------------------------------------------

Ship it!


Ship It!

- Robert Levas


On May 19, 2015, 10:11 a.m., Emil Anca wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/34408/
> -----------------------------------------------------------
> 
> (Updated May 19, 2015, 10:11 a.m.)
> 
> 
> Review request for Ambari, Andrew Onischuk, Robert Levas, and Vitalyi Brodetskyi.
> 
> 
> Bugs: AMBARI-11238
>     https://issues.apache.org/jira/browse/AMBARI-11238
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> STR:
> 1. Install HDP 2.2 cluster.
> 2. Add Ranger to the cluster via Add Service Wizard. While Ranger is added, enable Ranger
HBase plugin. This changes the following properties in hbase-site:
> hbase.coprocessor.master.classes: com.xasecure.authorization.hbase.XaSecureAuthorizationCoprocessor
> hbase.coprocessor.region.classes: org.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.SecureBulkLoadEndpoint,com.xasecure.authorization.hbase.XaSecureAuthorizationCoprocessor
> 3. Kerberization API, resets the following properties in hbase-site and invalidates settings
that are needed for Ranger HBase plugin:
> "hbase.coprocessor.master.classes": "org.apache.hadoop.hbase.security.access.AccessController"
> "hbase.coprocessor.region.classes": "org.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.SecureBulkLoadEndpoint,org.apache.hadoop.hbase.security.access.AccessController"
> 
> # Problem:
> 
> The Kerberos descriptor updates the values and overrides hbase ranger plugin props
> 
> # Solution:
> 
> Since the Kerberos descriptor does not currently support conditional configuration updates,
it will hold references to the two props which will be then dynamically decided on the agent
side before the config file is written, during the lifecycle of hbase.
> 
> 
> Diffs
> -----
> 
>   ambari-server/src/main/resources/common-services/HBASE/0.96.0.2.0/kerberos.json 125a9c9

>   ambari-server/src/main/resources/common-services/HBASE/0.96.0.2.0/package/scripts/params_linux.py
500d1ec 
> 
> Diff: https://reviews.apache.org/r/34408/diff/
> 
> 
> Testing
> -------
> 
> HDP 2.2 with and without security/hbase ranger plugin
> HDP 2.3 with and without security/hbase ranger plugin
> 
> mvn clean test -pl ambari-server
> 
> 
> Thanks,
> 
> Emil Anca
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message