hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gary Helmling (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-7623) Username is not available for HConnectionManager to use in HConnectionKey
Date Fri, 18 Jan 2013 19:38:13 GMT

    [ https://issues.apache.org/jira/browse/HBASE-7623?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13557527#comment-13557527
] 

Gary Helmling commented on HBASE-7623:
--------------------------------------

Okay, my concern was more that this might be a temporary condition where the user is not initially
available but then could be available later, potentially indicating a deeper problem, rather
than running in an environment with no user.  Is there a more specific exception to handle
in the Windows case?

>From what I can see, if hadoop.security.authorization is set to "true", even with simple
auth, we may get an NPE server side when we call down to {{ServiceAuthorizationManager.authorize()}}
if the user is null.

We could modify {{HBaseServer.authorize()}} to do something like the following:
{code:java}
if (authorize) {
+  if (user == null) {
+    // when configured for authorization, some username is required
+    throw new AuthorizationException("Unable to authorize, no user is associated with connection");
+  }
  Class<?> protocol = null;
  try {
    protocol = getProtocolClass(connection.getProtocol(), getConf());
  } catch (ClassNotFoundException cfne) {
    throw new AuthorizationException("Unknown protocol: " +
                                     connection.getProtocol());
  }
-  authManager.authorize(user != null ? user : null,
-    protocol, getConf(), addr);
+  authManager.authorize(user, protocol, getConf(), addr);
}
{code}

It seems like the right approach that a user is required if we're configured to do authorization.
 The second change is just a cleanup since the conditional does nothing in that case.

If we're not configured to do authorization and only doing simple auth, then a null user looks
to be okay.
                
> Username is not available for HConnectionManager to use in HConnectionKey
> -------------------------------------------------------------------------
>
>                 Key: HBASE-7623
>                 URL: https://issues.apache.org/jira/browse/HBASE-7623
>             Project: HBase
>          Issue Type: Improvement
>          Components: Client, security
>            Reporter: Jimmy Xiang
>            Assignee: Jimmy Xiang
>            Priority: Minor
>         Attachments: trunk-7623.patch
>
>
> Sometimes, some non-IOException prevents User.getCurrent() to get a username.  It makes
it impossible to create a HConnection.  We should catch all exception here:
> {noformat}
>       try {
>         User currentUser = User.getCurrent();
>         if (currentUser != null) {
>           username = currentUser.getName();
>         }
>       } catch (IOException ioe) {
>         LOG.warn("Error obtaining current user, skipping username in HConnectionKey",
>             ioe);
>       }
> {noformat}
> Not just IOException, so that client can move forward.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message