hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "jiraposter@reviews.apache.org (Commented) (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-2742) Provide strong authentication with a secure RPC engine
Date Sun, 13 Nov 2011 20:03:57 GMT

    [ https://issues.apache.org/jira/browse/HBASE-2742?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13149343#comment-13149343

jiraposter@reviews.apache.org commented on HBASE-2742:

bq.  On 2011-11-07 06:59:29, Michael Stack wrote:
bq.  > security/src/main/java/org/apache/hadoop/hbase/ipc/SecureClient.java, line 128
bq.  > <https://reviews.apache.org/r/1991/diff/4/?file=53577#file53577line128>
bq.  >
bq.  >     This if/else seems a little fuzzy.  Server-side, this is how it chooses an auth
bq.  Gary Helmling wrote:
bq.      Yes, this matches up with server side.  If not using kerberos auth, then does SIMPLE
auth, otherwise if a token is present does DIGEST, otherwise requires kerberos ticket.


bq.  On 2011-11-07 06:59:29, Michael Stack wrote:
bq.  > security/src/main/java/org/apache/hadoop/hbase/ipc/SecureClient.java, line 233
bq.  > <https://reviews.apache.org/r/1991/diff/4/?file=53577#file53577line233>
bq.  >
bq.  >     Formatting.  This copied from hadoop?
bq.  Gary Helmling wrote:
bq.      Yes, from Hadoop.  Cleaning up.

I'd say if copied from hadoop, don't clean it up.  Just leave it.

bq.  On 2011-11-07 06:59:29, Michael Stack wrote:
bq.  > security/src/main/java/org/apache/hadoop/hbase/ipc/SecureClient.java, line 345
bq.  > <https://reviews.apache.org/r/1991/diff/4/?file=53577#file53577line345>
bq.  >
bq.  >     What about the 'length' thing that we added to hbase? I don't see you processing
it here.  I suppose its ok because these are different client and servers and they just don't
do it (and things like asynchbase are not going to do secure hase any time soon).
bq.  Gary Helmling wrote:
bq.      Yeah, doesn't do "length" currently.  I could add it, but asynchbase would still
have to deal with the sasl negotiation on connection setup.

asynchbase is not going to be doing secure rpc anytime soon if ever so don't worry about it.

bq.  On 2011-11-07 06:59:29, Michael Stack wrote:
bq.  > security/src/main/java/org/apache/hadoop/hbase/ipc/SecureRpcEngine.java, line 366
bq.  > <https://reviews.apache.org/r/1991/diff/4/?file=53579#file53579line366>
bq.  >
bq.  >     Why we need this?  This in all our rpc'ing?
bq.  Gary Helmling wrote:
bq.      Yes, WritableRpcEngine$Server.call() does the same.  Don't know why we'd be implementing
RPC protocols with non-public methods, but predates me...


bq.  On 2011-11-07 06:59:29, Michael Stack wrote:
bq.  > security/src/main/java/org/apache/hadoop/hbase/ipc/SecureRpcEngine.java, line 381
bq.  > <https://reviews.apache.org/r/1991/diff/4/?file=53579#file53579line381>
bq.  >
bq.  >     Where does TRACELOG come from?  Why not LOG.trace?  Is it from parent?  Should
logging be from this class?
bq.  Gary Helmling wrote:
bq.      TRACELOG comes from HBaseServer I think.  We added it with the simple rpc call introspection
I did.  We wanted it to be a separate logger so it could be easily enabled to get those stats
without bringing in all the rest of the debug logging.


bq.  On 2011-11-07 06:59:29, Michael Stack wrote:
bq.  > security/src/main/java/org/apache/hadoop/hbase/ipc/SecureServer.java, line 123
bq.  > <https://reviews.apache.org/r/1991/diff/4/?file=53580#file53580line123>
bq.  >
bq.  >     If result is null, this will work?
bq.  Gary Helmling wrote:
bq.      Hmm, this is just doing same as HBaseServer, isn't it?

Fair enough

bq.  On 2011-11-07 06:59:29, Michael Stack wrote:
bq.  > security/src/main/java/org/apache/hadoop/hbase/ipc/SecureServer.java, line 597
bq.  > <https://reviews.apache.org/r/1991/diff/4/?file=53580#file53580line597>
bq.  >
bq.  >     This copy/pasted from hadoop?  Else its style violation (minor nit)
bq.  Gary Helmling wrote:
bq.      Yes, fixed anyway.  (HBaseServer$Connection.processData has the same problem).

Don't bother fixing the hadoop copies (you'll be working on it till cows come home and then
next update will mess it all up again -- not to mention the pain mapping hadoop to the cleaned
up hbase version)

bq.  On 2011-11-07 06:59:29, Michael Stack wrote:
bq.  > security/src/main/java/org/apache/hadoop/hbase/security/token/AuthenticationTokenIdentifier.java,
line 43
bq.  > <https://reviews.apache.org/r/1991/diff/4/?file=53588#file53588line43>
bq.  >
bq.  >     These are copied from hadoop?  Don't look like Gary style.
bq.  Gary Helmling wrote:
bq.      Yes, largely copied and modified.


bq.  On 2011-11-07 06:59:29, Michael Stack wrote:
bq.  > security/src/main/java/org/apache/hadoop/hbase/security/token/AuthenticationTokenSecretManager.java,
line 87
bq.  > <https://reviews.apache.org/r/1991/diff/4/?file=53589#file53589line87>
bq.  >
bq.  >     Should a 'secret manager' have a public constructor?
bq.  Gary Helmling wrote:
bq.      It's currently instantiated from SecureServer, so we need to access it somehow. 
With secured ZK access, znode ACLs will prevent creating a secret manager instance to obtain
the secret keys.  There is an opening here with coprocessors though, since they run in process
on the RS.  We'll ultimately need to lock those down separately.

Make a comment for now?

- Michael

This is an automatically generated e-mail. To reply, visit:

On 2011-10-26 20:23:19, Gary Helmling wrote:
bq.  -----------------------------------------------------------
bq.  This is an automatically generated e-mail. To reply, visit:
bq.  https://reviews.apache.org/r/1991/
bq.  -----------------------------------------------------------
bq.  (Updated 2011-10-26 20:23:19)
bq.  Review request for hbase.
bq.  Summary
bq.  -------
bq.  This patch creates a new secure RPC engine for HBase, which provides Kerberos based authentication
of clients, and a token-based authentication mechanism for mapreduce jobs.  Primary components
of the patch are:
bq.  - a new maven profile for secure Hadoop/HBase: hadoop-0.20S
bq.    - Secure Hadoop dependent classes are separated under a pseudo-module in the security/
directory.  These source and test directories are only including if building the secure Hadoop
bq.    - Currently the security classes get packaged with the regular HBase build artifacts.
 We need a way to at least override project.version, so we can append something like a "-security"
suffix indicating the additional security components.
bq.    - The pseudo-module here is really a half-step forward.  It enables the security code
to be optionally included in the build for now, and sets up the structure for a security module.
 But we still will want to pursue full modularization (see HBASE-4336), which will allow packing
the security code in a separate build artifact.
bq.  - a new RPC engine providing kerberos and token-based authentication: org.apache.hadoop.hbase.ipc.SecureRpcEngine
bq.    - implementation under security/src/main/java/org/apache/hadoop/hbase/ipc/
bq.    - The implementation classes extend the existing HBaseClient and HBaseServer to share
as much of the RPC code as possible.  The main override is of the connection classes to allow
control over the SASL negotiation of secure connections
bq.  - existing RPC changes
bq.    - The existing HBaseClient and HBaseServer have been modified to make subclassing possible
bq.    - All references to Hadoop UserGroupInformation have been replaced with org.apache.hadoop.hbase.security.User
to insulate from future dependencies on specific Hadoop versions
bq.  - a coprocessor endpoint for obtaining new authentication tokens: TokenProvider, and
supporting classes for token generation and synchronization (incorporating HBASE-3615)
bq.    - implementation is under security/src/main/java/org/apache/hadoop/hbase/security/token/
bq.    - Secret keys for token generation and verification are synchronized throughout the
cluster in zookeeper, under /hbase/tokenauth/keys
bq.  To enable secure RPC, add the following configuration to hbase-site.xml:
bq.    <property>
bq.     <name>hadoop.security.authorization</name>
bq.     <value>true</value>
bq.    </property>
bq.    <property>
bq.     <name>hadoop.security.authentication</name>
bq.     <value>kerberos</value>
bq.    </property>
bq.    <property>
bq.     <name>hbase.rpc.engine</name>
bq.     <value>org.apache.hadoop.hbase.ipc.SecureRpcEngine</value>
bq.    </property>
bq.    <property>
bq.     <name>hbase.coprocessor.region.classes</name>
bq.     <value>org.apache.hadoop.hbase.security.token.TokenProvider</value>
bq.    </property>
bq.  In addition, the master and regionserver processes must be configured for kerberos authentication
using the properties:
bq.   * hbase.(master|regionserver).keytab.file
bq.   * hbase.(master|regionserver).kerberos.principal
bq.   * hbase.(master|regionserver).kerberos.https.principal
bq.  This addresses bug HBASE-2742.
bq.      https://issues.apache.org/jira/browse/HBASE-2742
bq.  Diffs
bq.  -----
bq.    conf/hbase-policy.xml PRE-CREATION 
bq.    pom.xml 9d42e2b 
bq.    security/src/main/java/org/apache/hadoop/hbase/ipc/SecureClient.java PRE-CREATION 
bq.    security/src/main/java/org/apache/hadoop/hbase/ipc/SecureConnectionHeader.java PRE-CREATION

bq.    security/src/main/java/org/apache/hadoop/hbase/ipc/SecureRpcEngine.java PRE-CREATION

bq.    security/src/main/java/org/apache/hadoop/hbase/ipc/SecureServer.java PRE-CREATION 
bq.    security/src/main/java/org/apache/hadoop/hbase/ipc/Status.java PRE-CREATION 
bq.    security/src/main/java/org/apache/hadoop/hbase/security/AccessDeniedException.java
bq.    security/src/main/java/org/apache/hadoop/hbase/security/HBasePolicyProvider.java PRE-CREATION

bq.    security/src/main/java/org/apache/hadoop/hbase/security/HBaseSaslRpcClient.java PRE-CREATION

bq.    security/src/main/java/org/apache/hadoop/hbase/security/HBaseSaslRpcServer.java PRE-CREATION

bq.    security/src/main/java/org/apache/hadoop/hbase/security/token/AuthenticationKey.java
bq.    security/src/main/java/org/apache/hadoop/hbase/security/token/AuthenticationProtocol.java
bq.    security/src/main/java/org/apache/hadoop/hbase/security/token/AuthenticationTokenIdentifier.java
bq.    security/src/main/java/org/apache/hadoop/hbase/security/token/AuthenticationTokenSecretManager.java
bq.    security/src/main/java/org/apache/hadoop/hbase/security/token/AuthenticationTokenSelector.java
bq.    security/src/main/java/org/apache/hadoop/hbase/security/token/TokenProvider.java PRE-CREATION

bq.    security/src/main/java/org/apache/hadoop/hbase/security/token/TokenUtil.java PRE-CREATION

bq.    security/src/main/java/org/apache/hadoop/hbase/security/token/ZKLeaderManager.java
bq.    security/src/main/java/org/apache/hadoop/hbase/security/token/ZKSecretWatcher.java
bq.    security/src/test/java/org/apache/hadoop/hbase/security/token/TestTokenAuthentication.java
bq.    security/src/test/java/org/apache/hadoop/hbase/security/token/TestZKSecretWatcher.java
bq.    security/src/test/resources/hbase-site.xml PRE-CREATION 
bq.    src/main/java/org/apache/hadoop/hbase/HServerAddress.java f28240c 
bq.    src/main/java/org/apache/hadoop/hbase/client/HConnectionManager.java 06a2312 
bq.    src/main/java/org/apache/hadoop/hbase/ipc/ConnectionHeader.java 904c107 
bq.    src/main/java/org/apache/hadoop/hbase/ipc/HBaseClient.java 1365411 
bq.    src/main/java/org/apache/hadoop/hbase/ipc/HBaseRPC.java 18310d6 
bq.    src/main/java/org/apache/hadoop/hbase/ipc/HBaseRpcMetrics.java 337da78 
bq.    src/main/java/org/apache/hadoop/hbase/ipc/HBaseServer.java 4a8918a 
bq.    src/main/java/org/apache/hadoop/hbase/ipc/HMasterInterface.java 000f99c 
bq.    src/main/java/org/apache/hadoop/hbase/ipc/HMasterRegionInterface.java 965102c 
bq.    src/main/java/org/apache/hadoop/hbase/ipc/HRegionInterface.java 1f8b629 
bq.    src/main/java/org/apache/hadoop/hbase/ipc/RequestContext.java PRE-CREATION 
bq.    src/main/java/org/apache/hadoop/hbase/ipc/RpcEngine.java 1b5629a 
bq.    src/main/java/org/apache/hadoop/hbase/ipc/WritableRpcEngine.java 60a9248 
bq.    src/main/java/org/apache/hadoop/hbase/mapred/TableMapReduceUtil.java db07ed1 
bq.    src/main/java/org/apache/hadoop/hbase/mapreduce/TableMapReduceUtil.java ad88b76 
bq.    src/main/java/org/apache/hadoop/hbase/master/HMaster.java 3f8f929 
bq.    src/main/java/org/apache/hadoop/hbase/security/KerberosInfo.java PRE-CREATION 
bq.    src/main/java/org/apache/hadoop/hbase/security/TokenInfo.java PRE-CREATION 
bq.    src/main/java/org/apache/hadoop/hbase/security/User.java 00bd06d 
bq.    src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java bb67e53 
bq.    src/main/resources/hbase-default.xml 3785533 
bq.    src/test/java/org/apache/hadoop/hbase/MiniHBaseCluster.java 7194c02 
bq.    src/test/java/org/apache/hadoop/hbase/PerformanceEvaluation.java 3982eff 
bq.  Diff: https://reviews.apache.org/r/1991/diff
bq.  Testing
bq.  -------
bq.  A full test suite run showed failures in TestMasterFailover (timeout) and TestAvroServer.
 I'll look into those.
bq.  Cluster testing (1 master + 3 slaves in ec2) with Kerberos authentication and map reduce
token authentication, using YCSB, RowCounter, PerformanceEvaluation.
bq.  Thanks,
bq.  Gary

> Provide strong authentication with a secure RPC engine
> ------------------------------------------------------
>                 Key: HBASE-2742
>                 URL: https://issues.apache.org/jira/browse/HBASE-2742
>             Project: HBase
>          Issue Type: Improvement
>          Components: ipc
>            Reporter: Gary Helmling
>            Priority: Critical
>             Fix For: 0.92.0
> The HBase RPC code (org.apache.hadoop.hbase.ipc.*) was originally forked off of Hadoop
RPC classes, with some performance tweaks added.  Those optimizations have come at a cost
in keeping up with Hadoop RPC changes however, both bug fixes and improvements/new features.
> In particular, this impacts how we implement security features in HBase (see HBASE-1697
and HBASE-2016).  The secure Hadoop implementation (HADOOP-4487) relies heavily on RPC changes
to support client authentication via kerberos and securing and mutual authentication of client/server
connections via SASL.  Making use of the built-in Hadoop RPC classes will gain us these pieces
for free in a secure HBase.
> So, I'm proposing that we drop the HBase forked version of RPC and convert to direct
use of Hadoop RPC, while working to contribute important fixes back upstream to Hadoop core.
 Based on a review of the HBase RPC changes, the key divergences seem to be:
> HBaseClient:
>  - added use of TCP keepalive (HBASE-1754)
>  - made connection retries and sleep configurable (HBASE-1815)
>  - prevent NPE if socket == null due to creation failure (HBASE-2443)
> HBaseRPC:
>  - mapping of method names <-> codes (removed in HBASE-2219)
> HBaseServer:
>  - use of TCP keep alives (HBASE-1754)
>  - OOME in server does not trigger abort (HBASE-1198)
> HbaseObjectWritable:
>  - allows List<> serialization
>  - includes it's own class <-> code mapping (HBASE-328)
> Proposed process is:
> 1. open issues with patches on Hadoop core for important fixes/adjustments from HBase
RPC (HBASE-1198, HBASE-1815, HBASE-1754, HBASE-2443, plus a pluggable ObjectWritable implementation
in RPC.Invocation to allow use of HbaseObjectWritable).
> 2. ship a Hadoop version with RPC patches applied -- ideally we should avoid another
copy-n-paste code fork, subject to ability to isolate changes from impacting Hadoop internal
RPC wire formats
> 3. if all Hadoop core patches are applied we can drop back to a plain vanilla Hadoop
> I realize there are many different opinions on how to proceed with HBase RPC, so I'm
hoping this issue will kick off a discussion on what the best approach might be.  My own motivation
is maximizing re-use of the authentication and connection security work that's already gone
into Hadoop core.  I'll put together a set of patches around #1 and #2, but obviously we need
some consensus around this to move forward.  If I'm missing other differences between HBase
and Hadoop RPC, please list as well.  Discuss!

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira


View raw message