Return-Path: Delivered-To: apmail-hbase-dev-archive@www.apache.org Received: (qmail 28220 invoked from network); 29 Jul 2010 20:31:20 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 29 Jul 2010 20:31:20 -0000 Received: (qmail 59819 invoked by uid 500); 29 Jul 2010 20:31:18 -0000 Delivered-To: apmail-hbase-dev-archive@hbase.apache.org Received: (qmail 59450 invoked by uid 500); 29 Jul 2010 20:31:17 -0000 Mailing-List: contact dev-help@hbase.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@hbase.apache.org Delivered-To: mailing list dev@hbase.apache.org Received: (qmail 59269 invoked by uid 99); 29 Jul 2010 20:31:17 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 29 Jul 2010 20:31:17 +0000 X-ASF-Spam-Status: No, hits=1.8 required=10.0 tests=FH_HELO_EQ_D_D_D_D,MIME_QP_LONG_LINE,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (nike.apache.org: local policy) Received: from [184.73.217.71] (HELO ip-10-202-7-187.ec2.internal) (184.73.217.71) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 29 Jul 2010 20:31:10 +0000 Received: from ip-10-202-7-187.ec2.internal (localhost [127.0.0.1]) by ip-10-202-7-187.ec2.internal (Postfix) with ESMTP id B77A18A1C6; Thu, 29 Jul 2010 20:30:49 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Subject: Re: Review Request: HBASE-2742, HBASE-2016: Port of secure Hadoop RPC changes and integration with HBase RPC protocols From: "Andrew Purtell" To: "Andrew Purtell" , "Gary Helmling" , jiraposter@review.hbase.org, dev@hbase.apache.org Date: Thu, 29 Jul 2010 20:30:49 -0000 Message-ID: <20100729203049.12819.23160@ip-10-202-7-187.ec2.internal> In-Reply-To: <20100729194006.12819.77223@ip-10-202-7-187.ec2.internal> References: <20100729194006.12819.77223@ip-10-202-7-187.ec2.internal> X-Virus-Checked: Checked by ClamAV on apache.org ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: http://review.cloudera.org/r/406/#review586 ----------------------------------------------------------- Ship it! It looks all quite straightforward. Only quibble is the '-S' suffix on the HBase version. At first I thought it= was typo, could possibly lead to confusion. - Andrew On 2010-07-29 12:40:06, Gary Helmling wrote: > = > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > http://review.cloudera.org/r/406/ > ----------------------------------------------------------- > = > (Updated 2010-07-29 12:40:06) > = > = > Review request for hbase. > = > = > Summary > ------- > = > This patch ports over the secure Hadoop RPC changes from the latest Yahoo= 0.20 based branch (yahoo-hadoop-0.20.104). This patch is produced against= HBase trunk, but is targeted as the first step in a "security" feature bra= nch for a full role-based access control implementation (HBASE-1697). > = > RPC Changes > -------------------- > The primary changes are updates from the classes: > org.apache.hadoop.ipc.Client -> org.apache.hadoop.hbase.ipc.HBaseClient > org.apache.hadoop.ipc.RPC -> org.apache.hadoop.hbase.ipc.HBaseRPC > org.apache.hadoop.ipc.Server -> org.apache.hadoop.hbase.ipc.HBaseServer > = > The new classes were also ported: > org.apache.hadoop.hbase.security.HBaseSaslRpcClient > org.apache.hadoop.hbase.security.HBaseSaslRpcServer > = > Due to type dependencies on the Hadoop RPC classes, the original Hadoop S= aslRpc* classes could not be used. > = > The RPC port provides client authentication via Kerberos, and SASL negoti= ation of client server connections for mutual authentication and optionally= encryption, so it also provides the authentication functionality for HBASE= -2016. The ported RPC code contains dependencies on other classes in secur= e Hadoop/Hadoop trunk, preventing it from currently running on 0.20 branche= s missing the security changes. > = > Process Authentication > --------------------------- > The HMaster and HRegionServer processes have been updated to allow config= uration of the Kerberos principals used to run the processes. The new conf= iguration parameters are: > = > * hbase.master.keytab.file - Path to the keytab file containing the maste= r principal's credentials > * hbase.master.kerberos.principal - Kerberos principal name used to login= the HMaster process > * hbase.master.kerberos.https.principal - Kerberos principal name used to= login the HMaster info server > * hbase.regionserver.keytab.file - Path to the keytab file containing the= region server's credentials > * hbase.regionserver.kerberos.principal - Kerberos principal name used to= login the HRegionServer process > * hbase.regionserver.kerberos.https.principal - Kerberos principal name u= sed to login the HRegionServer info server > = > The new class org.apache.hadoop.hbase.security.HBasePolicyProvider and ne= w file conf/hadoop-policy.xml allow restriction of the users and groups per= mitting to utilize each of the RPC protocol interfaces (HMasterInterface, H= MasterRegionInterface, HRegionInterface). > = > Testing Updates > -------------------- > Parts of the test code (org.apache.hadoop.hbase.HBaseTestingUtility and o= rg.apache.hadoop.hbase.MiniHBaseCluster) were directly using the internal H= adoop UnixUserGroupInformation class to manipulate process ownership for te= sting. These have been updated to use UserGroupInformation.doAs() instead. > = > = > This addresses bugs HBASE-2016 and HBASE-2742. > http://issues.apache.org/jira/browse/HBASE-2016 > http://issues.apache.org/jira/browse/HBASE-2742 > = > = > Diffs > ----- > = > conf/hadoop-policy.xml PRE-CREATION = > pom.xml 2d3d75a = > src/main/java/org/apache/hadoop/hbase/ipc/ConnectionHeader.java PRE-CRE= ATION = > src/main/java/org/apache/hadoop/hbase/ipc/HBaseClient.java 2b5eeb6 = > src/main/java/org/apache/hadoop/hbase/ipc/HBaseRPC.java 9873172 = > src/main/java/org/apache/hadoop/hbase/ipc/HBaseRpcMetrics.java d88c12d = > src/main/java/org/apache/hadoop/hbase/ipc/HBaseServer.java d3c6c21 = > src/main/java/org/apache/hadoop/hbase/ipc/HMasterInterface.java bd48a4b = > src/main/java/org/apache/hadoop/hbase/ipc/HMasterRegionInterface.java 7= 1a0447 = > src/main/java/org/apache/hadoop/hbase/ipc/HRegionInterface.java 1157fe1 = > src/main/java/org/apache/hadoop/hbase/ipc/Status.java PRE-CREATION = > src/main/java/org/apache/hadoop/hbase/master/HMaster.java e4bd30d = > src/main/java/org/apache/hadoop/hbase/regionserver/HRegionServer.java 6= a54736 = > src/main/java/org/apache/hadoop/hbase/security/HBasePolicyProvider.java= PRE-CREATION = > src/main/java/org/apache/hadoop/hbase/security/HBaseSaslRpcClient.java = PRE-CREATION = > src/main/java/org/apache/hadoop/hbase/security/HBaseSaslRpcServer.java = PRE-CREATION = > src/main/java/org/apache/hadoop/hbase/util/JVMClusterUtil.java 280b91d = > src/main/resources/hbase-default.xml e3a9669 = > src/test/java/org/apache/hadoop/hbase/HBaseTestingUtility.java 4d09fe9 = > src/test/java/org/apache/hadoop/hbase/MiniHBaseCluster.java 9c49e36 = > src/test/java/org/apache/hadoop/hbase/regionserver/TestStore.java 0b479= 75 = > src/test/java/org/apache/hadoop/hbase/regionserver/wal/TestWALReplay.ja= va c982662 = > = > Diff: http://review.cloudera.org/r/406/diff > = > = > Testing > ------- > = > = > Thanks, > = > Gary > = >