Return-Path: 
 <dev-return-57082-apmail-hbase-dev-archive=hbase.apache.org@hbase.apache.org>
X-Original-To: apmail-hbase-dev-archive@www.apache.org
Delivered-To: apmail-hbase-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 102EC19EBD
	for <apmail-hbase-dev-archive@www.apache.org>;
 Fri,  8 Apr 2016 22:05:27 +0000 (UTC)
Received: (qmail 49076 invoked by uid 500); 8 Apr 2016 22:05:25 -0000
Delivered-To: apmail-hbase-dev-archive@hbase.apache.org
Received: (qmail 48923 invoked by uid 500); 8 Apr 2016 22:05:25 -0000
Mailing-List: contact dev-help@hbase.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@hbase.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@hbase.apache.org>
List-Post: <mailto:dev@hbase.apache.org>
List-Id: <dev.hbase.apache.org>
Reply-To: dev@hbase.apache.org
Delivered-To: mailing list dev@hbase.apache.org
Received: (qmail 48886 invoked by uid 99); 8 Apr 2016 22:05:25 -0000
Received: from arcas.apache.org (HELO arcas) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 08 Apr 2016 22:05:25 +0000
Received: from arcas.apache.org (localhost [127.0.0.1])
	by arcas (Postfix) with ESMTP id 9326C2C1F6B
	for <dev@hbase.apache.org>; Fri,  8 Apr 2016 22:05:25 +0000 (UTC)
Date: Fri, 8 Apr 2016 22:05:25 +0000 (UTC)
From: "Matteo Bertozzi (JIRA)" <jira@apache.org>
To: dev@hbase.apache.org
Message-ID: <JIRA.12957350.1460153077000.180712.1460153125599@Atlassian.JIRA>
In-Reply-To: <JIRA.12957350.1460153077000@Atlassian.JIRA>
References: <JIRA.12957350.1460153077000@Atlassian.JIRA>
 <JIRA.12957350.1460153077730@arcas>
Subject: [jira] [Created] (HBASE-15622) Superusers does not consider the
 keytab credentials
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394

Matteo Bertozzi created HBASE-15622:
---------------------------------------

             Summary: Superusers does not consider the keytab credentials
                 Key: HBASE-15622
                 URL: https://issues.apache.org/jira/browse/HBASE-15622
             Project: HBase
          Issue Type: Bug
          Components: security
    Affects Versions: 0.98.16.1, 1.1.4, 1.2.0, 2.0.0, 1.3.0
            Reporter: Matteo Bertozzi


After HBASE-13755 the superuser we add by default (the process running hbase) does not take in consideration the keytab credential.

We have an env with the process user being hbase and the keytab being hbasefoo.
from Superusers TRACE I see, the hbase being picked up
{noformat}
TRACE Superusers: Current user name is hbase
{noformat}
from the RS audit I see the hbasefoo making requests
{noformat}
"allowed":true,"serviceName":"HBASE-1","username":"hbasefoo...
{noformat}

looking at the code in HRegionServer we do 
{code}
public HRegionServer(Configuration conf, CoordinatedStateManager csm)
      throws IOException {
   ...
    this.userProvider = UserProvider.instantiate(conf);
    Superusers.initialize(conf);
   ..
   // login the server principal (if using secure Hadoop)
    login(userProvider, hostName);
  ..
{code}
Before HBASE-13755 we were initializing the super user in the ACL coprocessor, so after the login. but now we do that before the login.

I'm not sure if we can just move the Superuser.initialize() after the login [~mantonov]?



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)