Return-Path: X-Original-To: apmail-hbase-issues-archive@www.apache.org Delivered-To: apmail-hbase-issues-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id DC7C494BB for ; Fri, 18 Nov 2011 11:37:13 +0000 (UTC) Received: (qmail 88959 invoked by uid 500); 18 Nov 2011 11:37:13 -0000 Delivered-To: apmail-hbase-issues-archive@hbase.apache.org Received: (qmail 88899 invoked by uid 500); 18 Nov 2011 11:37:13 -0000 Mailing-List: contact issues-help@hbase.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list issues@hbase.apache.org Received: (qmail 88891 invoked by uid 99); 18 Nov 2011 11:37:13 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 18 Nov 2011 11:37:13 +0000 X-ASF-Spam-Status: No, hits=-2001.2 required=5.0 tests=ALL_TRUSTED,RP_MATCHES_RCVD X-Spam-Check-By: apache.org Received: from [140.211.11.116] (HELO hel.zones.apache.org) (140.211.11.116) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 18 Nov 2011 11:37:12 +0000 Received: from hel.zones.apache.org (hel.zones.apache.org [140.211.11.116]) by hel.zones.apache.org (Postfix) with ESMTP id E81D28D3A4 for ; Fri, 18 Nov 2011 11:36:51 +0000 (UTC) Date: Fri, 18 Nov 2011 11:36:51 +0000 (UTC) From: "Hudson (Commented) (JIRA)" To: issues@hbase.apache.org Message-ID: <1725548740.43003.1321616211952.JavaMail.tomcat@hel.zones.apache.org> Subject: [jira] [Commented] (HBASE-2742) Provide strong authentication with a secure RPC engine MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HBASE-2742?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13152799#comment-13152799 ] Hudson commented on HBASE-2742: ------------------------------- Integrated in HBase-TRUNK #2455 (See [https://builds.apache.org/job/HBase-TRUNK/2455/]) HBASE-2742 Provide strong authentication with a secure RPC engine garyh : Files : * /hbase/trunk/CHANGES.txt * /hbase/trunk/conf/hbase-policy.xml * /hbase/trunk/pom.xml * /hbase/trunk/security * /hbase/trunk/security/src * /hbase/trunk/security/src/main * /hbase/trunk/security/src/main/java * /hbase/trunk/security/src/main/java/org * /hbase/trunk/security/src/main/java/org/apache * /hbase/trunk/security/src/main/java/org/apache/hadoop * /hbase/trunk/security/src/main/java/org/apache/hadoop/hbase * /hbase/trunk/security/src/main/java/org/apache/hadoop/hbase/ipc * /hbase/trunk/security/src/main/java/org/apache/hadoop/hbase/ipc/SecureClient.java * /hbase/trunk/security/src/main/java/org/apache/hadoop/hbase/ipc/SecureConnectionHeader.java * /hbase/trunk/security/src/main/java/org/apache/hadoop/hbase/ipc/SecureRpcEngine.java * /hbase/trunk/security/src/main/java/org/apache/hadoop/hbase/ipc/SecureServer.java * /hbase/trunk/security/src/main/java/org/apache/hadoop/hbase/security * /hbase/trunk/security/src/main/java/org/apache/hadoop/hbase/security/AccessDeniedException.java * /hbase/trunk/security/src/main/java/org/apache/hadoop/hbase/security/HBasePolicyProvider.java * /hbase/trunk/security/src/main/java/org/apache/hadoop/hbase/security/HBaseSaslRpcClient.java * /hbase/trunk/security/src/main/java/org/apache/hadoop/hbase/security/HBaseSaslRpcServer.java * /hbase/trunk/security/src/main/java/org/apache/hadoop/hbase/security/token * /hbase/trunk/security/src/main/java/org/apache/hadoop/hbase/security/token/AuthenticationKey.java * /hbase/trunk/security/src/main/java/org/apache/hadoop/hbase/security/token/AuthenticationProtocol.java * /hbase/trunk/security/src/main/java/org/apache/hadoop/hbase/security/token/AuthenticationTokenIdentifier.java * /hbase/trunk/security/src/main/java/org/apache/hadoop/hbase/security/token/AuthenticationTokenSecretManager.java * /hbase/trunk/security/src/main/java/org/apache/hadoop/hbase/security/token/AuthenticationTokenSelector.java * /hbase/trunk/security/src/main/java/org/apache/hadoop/hbase/security/token/TokenProvider.java * /hbase/trunk/security/src/main/java/org/apache/hadoop/hbase/security/token/TokenUtil.java * /hbase/trunk/security/src/main/java/org/apache/hadoop/hbase/security/token/ZKSecretWatcher.java * /hbase/trunk/security/src/test * /hbase/trunk/security/src/test/java * /hbase/trunk/security/src/test/java/org * /hbase/trunk/security/src/test/java/org/apache * /hbase/trunk/security/src/test/java/org/apache/hadoop * /hbase/trunk/security/src/test/java/org/apache/hadoop/hbase * /hbase/trunk/security/src/test/java/org/apache/hadoop/hbase/security * /hbase/trunk/security/src/test/java/org/apache/hadoop/hbase/security/token * /hbase/trunk/security/src/test/java/org/apache/hadoop/hbase/security/token/TestTokenAuthentication.java * /hbase/trunk/security/src/test/java/org/apache/hadoop/hbase/security/token/TestZKSecretWatcher.java * /hbase/trunk/security/src/test/resources * /hbase/trunk/security/src/test/resources/hbase-site.xml * /hbase/trunk/src/assembly/all.xml * /hbase/trunk/src/main/java/org/apache/hadoop/hbase/HServerAddress.java * /hbase/trunk/src/main/java/org/apache/hadoop/hbase/client/HConnectionManager.java * /hbase/trunk/src/main/java/org/apache/hadoop/hbase/ipc/ConnectionHeader.java * /hbase/trunk/src/main/java/org/apache/hadoop/hbase/ipc/HBaseClient.java * /hbase/trunk/src/main/java/org/apache/hadoop/hbase/ipc/HBaseRPC.java * /hbase/trunk/src/main/java/org/apache/hadoop/hbase/ipc/HBaseRpcMetrics.java * /hbase/trunk/src/main/java/org/apache/hadoop/hbase/ipc/HBaseServer.java * /hbase/trunk/src/main/java/org/apache/hadoop/hbase/ipc/HMasterInterface.java * /hbase/trunk/src/main/java/org/apache/hadoop/hbase/ipc/HMasterRegionInterface.java * /hbase/trunk/src/main/java/org/apache/hadoop/hbase/ipc/HRegionInterface.java * /hbase/trunk/src/main/java/org/apache/hadoop/hbase/ipc/RequestContext.java * /hbase/trunk/src/main/java/org/apache/hadoop/hbase/ipc/RpcEngine.java * /hbase/trunk/src/main/java/org/apache/hadoop/hbase/ipc/WritableRpcEngine.java * /hbase/trunk/src/main/java/org/apache/hadoop/hbase/mapred/TableMapReduceUtil.java * /hbase/trunk/src/main/java/org/apache/hadoop/hbase/mapreduce/TableMapReduceUtil.java * /hbase/trunk/src/main/java/org/apache/hadoop/hbase/master/HMaster.java * /hbase/trunk/src/main/java/org/apache/hadoop/hbase/security/KerberosInfo.java * /hbase/trunk/src/main/java/org/apache/hadoop/hbase/security/TokenInfo.java * /hbase/trunk/src/main/java/org/apache/hadoop/hbase/security/User.java * /hbase/trunk/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKLeaderManager.java * /hbase/trunk/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java * /hbase/trunk/src/main/resources/hbase-default.xml * /hbase/trunk/src/test/java/org/apache/hadoop/hbase/MiniHBaseCluster.java * /hbase/trunk/src/test/java/org/apache/hadoop/hbase/PerformanceEvaluation.java * /hbase/trunk/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZKLeaderManager.java > Provide strong authentication with a secure RPC engine > ------------------------------------------------------ > > Key: HBASE-2742 > URL: https://issues.apache.org/jira/browse/HBASE-2742 > Project: HBase > Issue Type: Improvement > Components: ipc > Reporter: Gary Helmling > Assignee: Gary Helmling > Priority: Critical > Fix For: 0.92.0 > > Attachments: HBASE-2742_10.patch > > > The HBase RPC code (org.apache.hadoop.hbase.ipc.*) was originally forked off of Hadoop RPC classes, with some performance tweaks added. Those optimizations have come at a cost in keeping up with Hadoop RPC changes however, both bug fixes and improvements/new features. > In particular, this impacts how we implement security features in HBase (see HBASE-1697 and HBASE-2016). The secure Hadoop implementation (HADOOP-4487) relies heavily on RPC changes to support client authentication via kerberos and securing and mutual authentication of client/server connections via SASL. Making use of the built-in Hadoop RPC classes will gain us these pieces for free in a secure HBase. > So, I'm proposing that we drop the HBase forked version of RPC and convert to direct use of Hadoop RPC, while working to contribute important fixes back upstream to Hadoop core. Based on a review of the HBase RPC changes, the key divergences seem to be: > HBaseClient: > - added use of TCP keepalive (HBASE-1754) > - made connection retries and sleep configurable (HBASE-1815) > - prevent NPE if socket == null due to creation failure (HBASE-2443) > HBaseRPC: > - mapping of method names <-> codes (removed in HBASE-2219) > HBaseServer: > - use of TCP keep alives (HBASE-1754) > - OOME in server does not trigger abort (HBASE-1198) > HbaseObjectWritable: > - allows List<> serialization > - includes it's own class <-> code mapping (HBASE-328) > Proposed process is: > 1. open issues with patches on Hadoop core for important fixes/adjustments from HBase RPC (HBASE-1198, HBASE-1815, HBASE-1754, HBASE-2443, plus a pluggable ObjectWritable implementation in RPC.Invocation to allow use of HbaseObjectWritable). > 2. ship a Hadoop version with RPC patches applied -- ideally we should avoid another copy-n-paste code fork, subject to ability to isolate changes from impacting Hadoop internal RPC wire formats > 3. if all Hadoop core patches are applied we can drop back to a plain vanilla Hadoop version > I realize there are many different opinions on how to proceed with HBase RPC, so I'm hoping this issue will kick off a discussion on what the best approach might be. My own motivation is maximizing re-use of the authentication and connection security work that's already gone into Hadoop core. I'll put together a set of patches around #1 and #2, but obviously we need some consensus around this to move forward. If I'm missing other differences between HBase and Hadoop RPC, please list as well. Discuss! -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira