Mailing-List: contact issues-help@hbase.apache.org; run by ezmlm
Precedence: bulk
Date: Sun, 1 Jul 2012 16:33:26 +0000 (UTC)
From: "Matteo Bertozzi (JIRA)" <jira@apache.org>
To: issues@hbase.apache.org
Message-ID: <1304195555.76658.1341160406129.JavaMail.jiratomcat@issues-vm>
In-Reply-To: 
 <1383544286.32412.1321390253547.JavaMail.tomcat@hel.zones.apache.org>
Subject: [jira] [Updated] (HBASE-4791) Allow Secure Zookeeper JAAS
 configuration to be programmatically set (rather than only by reading JAAS
 configuration file)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit


     [ https://issues.apache.org/jira/browse/HBASE-4791?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Matteo Bertozzi updated HBASE-4791:
-----------------------------------

    Attachment: HBASE-4791-v1.patch

I'll try to explain how the jaas.conf works...

On the first call of javax.security.auth.login.Configuration.getConfiguration() "login.configuration.provider" property is checked to see what is the Configuration class that handle the jaas.

If the property is not set "com.sun.security.auth.login.ConfigFile" is used as jaas.conf reader...
It checks if the "java.security.auth.login.config" was specified, and if so it reads the file and keep the "jaas options".

So in your JVM there's just one single instance of auth.login.Configuration running.

The idea here, is to avoid to specify the -Djava.security.auth.login.config=jaas.conf for HBase Region Server and HBase Master, and use instead the hbase-site. One simple way to do that is to create a custom auth.login.Configuration class that returns the "jaas option" for needed to HBase.

Now you've to options to use your Configuration class: setting the "login.configuration.provider" property to pointing to the proper class the other way is to call auth.login.Configuration.setConfiguration() and provide the custom configuration class.

I've choosen the second way since you don't have to rely on "Have I already called Configuration.getConfiguration()" somewhere? and put the setProperty() as first line... but the only thing to be aware is "do this before connect to zookeeper". 

                
> Allow Secure Zookeeper JAAS configuration to be programmatically set (rather than only by reading JAAS configuration file)
> --------------------------------------------------------------------------------------------------------------------------
>
>                 Key: HBASE-4791
>                 URL: https://issues.apache.org/jira/browse/HBASE-4791
>             Project: HBase
>          Issue Type: Improvement
>          Components: security, zookeeper
>            Reporter: Eugene Koontz
>            Assignee: Eugene Koontz
>              Labels: security, zookeeper
>         Attachments: DemoConfig.java, HBASE-4791-v0.patch, HBASE-4791-v1.patch
>
>
> In the currently proposed fix for HBASE-2418, there must be a JAAS file specified in     System.setProperty("java.security.auth.login.config"). 
> However, it might be preferable to construct a JAAS configuration programmatically, as is done with secure Hadoop (see https://github.com/apache/hadoop-common/blob/a48eceb62c9b5c1a5d71ee2945d9eea2ed62527b/src/java/org/apache/hadoop/security/UserGroupInformation.java#L175).
> This would have the benefit of avoiding a usage of a system property setting, and allow instead an HBase-local configuration setting.	

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira