hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gary Helmling (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-7623) Username is not available for HConnectionManager to use in HConnectionKey
Date Fri, 18 Jan 2013 19:38:13 GMT

    [ https://issues.apache.org/jira/browse/HBASE-7623?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13557527#comment-13557527

Gary Helmling commented on HBASE-7623:

Okay, my concern was more that this might be a temporary condition where the user is not initially
available but then could be available later, potentially indicating a deeper problem, rather
than running in an environment with no user.  Is there a more specific exception to handle
in the Windows case?

>From what I can see, if hadoop.security.authorization is set to "true", even with simple
auth, we may get an NPE server side when we call down to {{ServiceAuthorizationManager.authorize()}}
if the user is null.

We could modify {{HBaseServer.authorize()}} to do something like the following:
if (authorize) {
+  if (user == null) {
+    // when configured for authorization, some username is required
+    throw new AuthorizationException("Unable to authorize, no user is associated with connection");
+  }
  Class<?> protocol = null;
  try {
    protocol = getProtocolClass(connection.getProtocol(), getConf());
  } catch (ClassNotFoundException cfne) {
    throw new AuthorizationException("Unknown protocol: " +
-  authManager.authorize(user != null ? user : null,
-    protocol, getConf(), addr);
+  authManager.authorize(user, protocol, getConf(), addr);

It seems like the right approach that a user is required if we're configured to do authorization.
 The second change is just a cleanup since the conditional does nothing in that case.

If we're not configured to do authorization and only doing simple auth, then a null user looks
to be okay.
> Username is not available for HConnectionManager to use in HConnectionKey
> -------------------------------------------------------------------------
>                 Key: HBASE-7623
>                 URL: https://issues.apache.org/jira/browse/HBASE-7623
>             Project: HBase
>          Issue Type: Improvement
>          Components: Client, security
>            Reporter: Jimmy Xiang
>            Assignee: Jimmy Xiang
>            Priority: Minor
>         Attachments: trunk-7623.patch
> Sometimes, some non-IOException prevents User.getCurrent() to get a username.  It makes
it impossible to create a HConnection.  We should catch all exception here:
> {noformat}
>       try {
>         User currentUser = User.getCurrent();
>         if (currentUser != null) {
>           username = currentUser.getName();
>         }
>       } catch (IOException ioe) {
>         LOG.warn("Error obtaining current user, skipping username in HConnectionKey",
>             ioe);
>       }
> {noformat}
> Not just IOException, so that client can move forward.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

View raw message