hbase-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gary Helmling" <ghelml...@gmail.com>
Subject Review Request: HBASE-2742, HBASE-2016: Port of secure Hadoop RPC changes and integration with HBase RPC protocols
Date Thu, 29 Jul 2010 19:40:06 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
http://review.cloudera.org/r/406/
-----------------------------------------------------------

Review request for hbase.


Summary
-------

This patch ports over the secure Hadoop RPC changes from the latest Yahoo 0.20 based branch
(yahoo-hadoop-0.20.104).  This patch is produced against HBase trunk, but is targeted as the
first step in a "security" feature branch for a full role-based access control implementation
(HBASE-1697).

RPC Changes
--------------------
The primary changes are updates from the classes:
org.apache.hadoop.ipc.Client -> org.apache.hadoop.hbase.ipc.HBaseClient
org.apache.hadoop.ipc.RPC -> org.apache.hadoop.hbase.ipc.HBaseRPC
org.apache.hadoop.ipc.Server -> org.apache.hadoop.hbase.ipc.HBaseServer

The new classes were also ported:
org.apache.hadoop.hbase.security.HBaseSaslRpcClient
org.apache.hadoop.hbase.security.HBaseSaslRpcServer

Due to type dependencies on the Hadoop RPC classes, the original Hadoop SaslRpc* classes could
not be used.

The RPC port provides client authentication via Kerberos, and SASL negotiation of client server
connections for mutual authentication and optionally encryption, so it also provides the authentication
functionality for HBASE-2016.  The ported RPC code contains dependencies on other classes
in secure Hadoop/Hadoop trunk, preventing it from currently running on 0.20 branches missing
the security changes.

Process Authentication
---------------------------
The HMaster and HRegionServer processes have been updated to allow configuration of the Kerberos
principals used to run the processes.  The new configuration parameters are:

* hbase.master.keytab.file - Path to the keytab file containing the master principal's credentials
* hbase.master.kerberos.principal - Kerberos principal name used to login the HMaster process
* hbase.master.kerberos.https.principal - Kerberos principal name used to login the HMaster
info server
* hbase.regionserver.keytab.file - Path to the keytab file containing the region server's
credentials
* hbase.regionserver.kerberos.principal - Kerberos principal name used to login the HRegionServer
process
* hbase.regionserver.kerberos.https.principal - Kerberos principal name used to login the
HRegionServer info server

The new class org.apache.hadoop.hbase.security.HBasePolicyProvider and new file conf/hadoop-policy.xml
allow restriction of the users and groups permitting to utilize each of the RPC protocol interfaces
(HMasterInterface, HMasterRegionInterface, HRegionInterface).

Testing Updates
--------------------
Parts of the test code (org.apache.hadoop.hbase.HBaseTestingUtility and org.apache.hadoop.hbase.MiniHBaseCluster)
were directly using the internal Hadoop UnixUserGroupInformation class to manipulate process
ownership for testing.  These have been updated to use UserGroupInformation.doAs() instead.


This addresses bugs HBASE-2016 and HBASE-2742.
    http://issues.apache.org/jira/browse/HBASE-2016
    http://issues.apache.org/jira/browse/HBASE-2742


Diffs
-----

  conf/hadoop-policy.xml PRE-CREATION 
  pom.xml 2d3d75a 
  src/main/java/org/apache/hadoop/hbase/ipc/ConnectionHeader.java PRE-CREATION 
  src/main/java/org/apache/hadoop/hbase/ipc/HBaseClient.java 2b5eeb6 
  src/main/java/org/apache/hadoop/hbase/ipc/HBaseRPC.java 9873172 
  src/main/java/org/apache/hadoop/hbase/ipc/HBaseRpcMetrics.java d88c12d 
  src/main/java/org/apache/hadoop/hbase/ipc/HBaseServer.java d3c6c21 
  src/main/java/org/apache/hadoop/hbase/ipc/HMasterInterface.java bd48a4b 
  src/main/java/org/apache/hadoop/hbase/ipc/HMasterRegionInterface.java 71a0447 
  src/main/java/org/apache/hadoop/hbase/ipc/HRegionInterface.java 1157fe1 
  src/main/java/org/apache/hadoop/hbase/ipc/Status.java PRE-CREATION 
  src/main/java/org/apache/hadoop/hbase/master/HMaster.java e4bd30d 
  src/main/java/org/apache/hadoop/hbase/regionserver/HRegionServer.java 6a54736 
  src/main/java/org/apache/hadoop/hbase/security/HBasePolicyProvider.java PRE-CREATION 
  src/main/java/org/apache/hadoop/hbase/security/HBaseSaslRpcClient.java PRE-CREATION 
  src/main/java/org/apache/hadoop/hbase/security/HBaseSaslRpcServer.java PRE-CREATION 
  src/main/java/org/apache/hadoop/hbase/util/JVMClusterUtil.java 280b91d 
  src/main/resources/hbase-default.xml e3a9669 
  src/test/java/org/apache/hadoop/hbase/HBaseTestingUtility.java 4d09fe9 
  src/test/java/org/apache/hadoop/hbase/MiniHBaseCluster.java 9c49e36 
  src/test/java/org/apache/hadoop/hbase/regionserver/TestStore.java 0b47975 
  src/test/java/org/apache/hadoop/hbase/regionserver/wal/TestWALReplay.java c982662 

Diff: http://review.cloudera.org/r/406/diff


Testing
-------


Thanks,

Gary


Mime
View raw message