hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Laxman (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-5498) Secure Bulk Load
Date Thu, 12 Jul 2012 11:45:39 GMT

    [ https://issues.apache.org/jira/browse/HBASE-5498?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13412719#comment-13412719

Laxman commented on HBASE-5498:

Thanks for correction Francis.

I tried as per your suggestion. Still no luck. Now we are hitting the same "Permission denied"
problem. On further investigation, I found that the DFS requests(rename) is still going with
"hbase" user. FS is initialized as "hbase" user during coprocessor initialization on startup.
I moved FS initialization like below. 

    boolean success = ugi.doAs(new PrivilegedAction<Boolean>() {
      public Boolean run() {
        FileSystem fs=null;
        try {
          setPermission(fs, srcPath, new FsPermission((short) 0777));
          fs.rename(srcPath, contentPath);
          LOG.info("moving " + srcPath + " to " + contentPath);
          completeBulkLoad(tableName, contentPath);

With this, I'm hitting a brand new problem.
2012-07-12 16:23:43,839 ERROR org.apache.hadoop.hbase.security.access.SecureBulkLoadEndPoint:
Failed to complete bulk load
	at javax.security.auth.Subject$ClassSet.populateSet(Subject.java:1351)
	at javax.security.auth.Subject$ClassSet.<init>(Subject.java:1317)
	at javax.security.auth.Subject.getPrivateCredentials(Subject.java:731)
	at org.apache.hadoop.security.UserGroupInformation.<init>(UserGroupInformation.java:488)
	at org.apache.hadoop.security.UserGroupInformation.getCurrentUser(UserGroupInformation.java:514)
	at org.apache.hadoop.hdfs.DFSClient.<init>(DFSClient.java:346)
	at org.apache.hadoop.hdfs.DFSClient.<init>(DFSClient.java:327)
	at org.apache.hadoop.hdfs.DistributedFileSystem.initialize(DistributedFileSystem.java:121)

Based on this stacktrace analysis, this occurred as we continue without logging in "ugi.login()".
But this ugi.login supports keytab/ticket cache which I don't have for "test" on region-server

I think I'm missing some fundamental point in token delegation.

Apologies for too much of text.
> Secure Bulk Load
> ----------------
>                 Key: HBASE-5498
>                 URL: https://issues.apache.org/jira/browse/HBASE-5498
>             Project: HBase
>          Issue Type: Improvement
>          Components: mapred, security
>            Reporter: Francis Liu
>            Assignee: Francis Liu
>             Fix For: 0.96.0
>         Attachments: HBASE-5498_draft.patch
> Design doc: https://cwiki.apache.org/confluence/display/HCATALOG/HBase+Secure+Bulk+Load
> Short summary:
> Security as it stands does not cover the bulkLoadHFiles() feature. Users calling this
method will bypass ACLs. Also loading is made more cumbersome in a secure setting because
of hdfs privileges. bulkLoadHFiles() moves the data from user's directory to the hbase directory,
which would require certain write access privileges set.
> Our solution is to create a coprocessor which makes use of AuthManager to verify if a
user has write access to the table. If so, launches a MR job as the hbase user to do the importing
(ie rewrite from text to hfiles). One tricky part this job will have to do is impersonate
the calling user when reading the input files. We can do this by expecting the user to pass
an hdfs delegation token as part of the secureBulkLoad() coprocessor call and extend an inputformat
to make use of that token. The output is written to a temporary directory accessible only
by hbase and then bulkloadHFiles() is called.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira


View raw message