ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sumit Mohanty" <smoha...@hortonworks.com>
Subject Re: Review Request 40319: Ambari does not configure hbase.coprocessor.regionserver.classes
Date Sat, 14 Nov 2015 13:26:44 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/40319/#review106543
-----------------------------------------------------------

Ship it!


Ship It!

- Sumit Mohanty


On Nov. 14, 2015, 5:39 a.m., Jaimin Jetly wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/40319/
> -----------------------------------------------------------
> 
> (Updated Nov. 14, 2015, 5:39 a.m.)
> 
> 
> Review request for Ambari, Sumit Mohanty and Srimanth Gunturi.
> 
> 
> Bugs: AMBARI-13897
>     https://issues.apache.org/jira/browse/AMBARI-13897
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> In a newly installed cluster with security and ranger, I cannot find {{hbase.coprocessor.regionserver.classes}}
configured which is needed to protect some of the direct RPC's to the regionserver (stopping
regionserver is an example). 
> 
> In a proper cluster all *three* properties should be configured:  
> {code}
> <property>
>   <name>hbase.coprocessor.region.classes</name>
>   <value>org.apache.hadoop.hbase.security.token.TokenProvider, org.apache.hadoop.hbase.security.access.AccessController,org.apache.hadoop.hbase.security.access.SecureBulkLoadEndpoint</value>
> </property>
> <property>
>   <name>hbase.coprocessor.master.classes</name>
>   <value>org.apache.hadoop.hbase.security.access.AccessController</value>
> </property>
> <property>
>   <name>hbase.coprocessor.regionserver.classes</name>
>   <value>org.apache.hadoop/hbase.security.access.AccessController</value>
> </property>
> {code}
> 
> In stackadvisor, I can see that we are configuring {{hbase.coprocessor.regionserver.classes}},
but somehow in a newly installed cluster, I don't find the setting in hbase-site.xml. 
> 
> There are a couple of action items from this jira: 
>  # Make sure that {{hbase.coprocessor.regionserver.classes}} is configured properly for
secure clusters. 
> # reading the stackadvisor code, it can be improved so that if the customer has configured
other coprocessors, they are not lost.  The logic for {{hbase.coprocessor.regionserver.classes}}
and {{hbase.coprocessor.region.classes}} and {{hbase.coprocessor.master.classes}} should be
something like this: 
>  - get the list of co-processors and put them to a set. 
>  - If security is enabled, then add either ranger or hbase native AC coprocessors to
the set 
>  - Else remove the AC and ranger AC coprocessors from the list 
>  - write the configurations to hbase-site.
> 
> 
> Diffs
> -----
> 
>   ambari-server/src/main/resources/common-services/HBASE/0.96.0.2.0/kerberos.json 1de417f

>   ambari-server/src/main/resources/common-services/HBASE/0.96.0.2.0/package/scripts/params_linux.py
bab2cc5 
>   ambari-server/src/main/resources/stacks/HDP/2.2/services/stack_advisor.py 6645083 
>   ambari-server/src/test/python/stacks/2.2/common/test_stack_advisor.py d3d2c3a 
>   ambari-server/src/test/python/stacks/2.3/common/test_stack_advisor.py 4db688c 
> 
> Diff: https://reviews.apache.org/r/40319/diff/
> 
> 
> Testing
> -------
> 
> Jaimin D Jetly added a comment - 4 minutes ago
> Tested the patch manually on a cluster.
> Verified that all python unit tests passes with the patch:
> ----------------------------------------------------------------------
> Ran 238 tests in 6.872s
> OK
> ----------------------------------------------------------------------
> Total run:832
> Total errors:0
> Total failures:0
> OK
> 
> 
> Thanks,
> 
> Jaimin Jetly
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message