ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Onischuk" <aonis...@hortonworks.com>
Subject Re: Review Request 34408: When Kerberizing a cluster with Ranger HBase plugin enabled, HBase coprocessor properties in hbase-site are overwritten (and breaks Ranger HBase plugin)
Date Tue, 19 May 2015 14:13:56 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/34408/#review84313
-----------------------------------------------------------



ambari-server/src/main/resources/common-services/HBASE/0.96.0.2.0/package/scripts/params_linux.py
<https://reviews.apache.org/r/34408/#comment135527>

    We should add this as configurations as a properties. And use properties inheritance via
stack. 
    
    Rather than this checks which is basically a bad practice.


- Andrew Onischuk


On May 19, 2015, 2:11 p.m., Emil Anca wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/34408/
> -----------------------------------------------------------
> 
> (Updated May 19, 2015, 2:11 p.m.)
> 
> 
> Review request for Ambari, Andrew Onischuk, Robert Levas, and Vitalyi Brodetskyi.
> 
> 
> Bugs: AMBARI-11238
>     https://issues.apache.org/jira/browse/AMBARI-11238
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> STR:
> 1. Install HDP 2.2 cluster.
> 2. Add Ranger to the cluster via Add Service Wizard. While Ranger is added, enable Ranger
HBase plugin. This changes the following properties in hbase-site:
> hbase.coprocessor.master.classes: com.xasecure.authorization.hbase.XaSecureAuthorizationCoprocessor
> hbase.coprocessor.region.classes: org.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.SecureBulkLoadEndpoint,com.xasecure.authorization.hbase.XaSecureAuthorizationCoprocessor
> 3. Kerberization API, resets the following properties in hbase-site and invalidates settings
that are needed for Ranger HBase plugin:
> "hbase.coprocessor.master.classes": "org.apache.hadoop.hbase.security.access.AccessController"
> "hbase.coprocessor.region.classes": "org.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.SecureBulkLoadEndpoint,org.apache.hadoop.hbase.security.access.AccessController"
> 
> # Problem:
> 
> The Kerberos descriptor updates the values and overrides hbase ranger plugin props
> 
> # Solution:
> 
> Since the Kerberos descriptor does not currently support conditional configuration updates,
it will hold references to the two props which will be then dynamically decided on the agent
side before the config file is written, during the lifecycle of hbase.
> 
> 
> Diffs
> -----
> 
>   ambari-server/src/main/resources/common-services/HBASE/0.96.0.2.0/kerberos.json 125a9c9

>   ambari-server/src/main/resources/common-services/HBASE/0.96.0.2.0/package/scripts/params_linux.py
500d1ec 
> 
> Diff: https://reviews.apache.org/r/34408/diff/
> 
> 
> Testing
> -------
> 
> HDP 2.2 with and without security/hbase ranger plugin
> HDP 2.3 with and without security/hbase ranger plugin
> 
> mvn clean test -pl ambari-server
> 
> 
> Thanks,
> 
> Emil Anca
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message