Return-Path: X-Original-To: apmail-hbase-issues-archive@www.apache.org Delivered-To: apmail-hbase-issues-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 2DFBFE53B for ; Fri, 18 Jan 2013 19:38:14 +0000 (UTC) Received: (qmail 3789 invoked by uid 500); 18 Jan 2013 19:38:13 -0000 Delivered-To: apmail-hbase-issues-archive@hbase.apache.org Received: (qmail 3749 invoked by uid 500); 18 Jan 2013 19:38:13 -0000 Mailing-List: contact issues-help@hbase.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list issues@hbase.apache.org Received: (qmail 3739 invoked by uid 99); 18 Jan 2013 19:38:13 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 18 Jan 2013 19:38:13 +0000 Date: Fri, 18 Jan 2013 19:38:13 +0000 (UTC) From: "Gary Helmling (JIRA)" To: issues@hbase.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (HBASE-7623) Username is not available for HConnectionManager to use in HConnectionKey MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HBASE-7623?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13557527#comment-13557527 ] Gary Helmling commented on HBASE-7623: -------------------------------------- Okay, my concern was more that this might be a temporary condition where the user is not initially available but then could be available later, potentially indicating a deeper problem, rather than running in an environment with no user. Is there a more specific exception to handle in the Windows case? >From what I can see, if hadoop.security.authorization is set to "true", even with simple auth, we may get an NPE server side when we call down to {{ServiceAuthorizationManager.authorize()}} if the user is null. We could modify {{HBaseServer.authorize()}} to do something like the following: {code:java} if (authorize) { + if (user == null) { + // when configured for authorization, some username is required + throw new AuthorizationException("Unable to authorize, no user is associated with connection"); + } Class protocol = null; try { protocol = getProtocolClass(connection.getProtocol(), getConf()); } catch (ClassNotFoundException cfne) { throw new AuthorizationException("Unknown protocol: " + connection.getProtocol()); } - authManager.authorize(user != null ? user : null, - protocol, getConf(), addr); + authManager.authorize(user, protocol, getConf(), addr); } {code} It seems like the right approach that a user is required if we're configured to do authorization. The second change is just a cleanup since the conditional does nothing in that case. If we're not configured to do authorization and only doing simple auth, then a null user looks to be okay. > Username is not available for HConnectionManager to use in HConnectionKey > ------------------------------------------------------------------------- > > Key: HBASE-7623 > URL: https://issues.apache.org/jira/browse/HBASE-7623 > Project: HBase > Issue Type: Improvement > Components: Client, security > Reporter: Jimmy Xiang > Assignee: Jimmy Xiang > Priority: Minor > Attachments: trunk-7623.patch > > > Sometimes, some non-IOException prevents User.getCurrent() to get a username. It makes it impossible to create a HConnection. We should catch all exception here: > {noformat} > try { > User currentUser = User.getCurrent(); > if (currentUser != null) { > username = currentUser.getName(); > } > } catch (IOException ioe) { > LOG.warn("Error obtaining current user, skipping username in HConnectionKey", > ioe); > } > {noformat} > Not just IOException, so that client can move forward. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira