hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gary Helmling (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-9890) MR jobs are not working if started by a delegated user
Date Tue, 05 Nov 2013 02:28:18 GMT

    [ https://issues.apache.org/jira/browse/HBASE-9890?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13813573#comment-13813573

Gary Helmling commented on HBASE-9890:

bq. so I should also move out the fs token request in loadIncrementalHFiles, since you can
get secure HDFS but not secure HBase, right?

That is a good question.  In that section, the entire SecureBulkLoadClient usage seems to
be conditioned on HBase security being enabled though.  Would SecureBulkLoadClient be needed
(and does it work) if HDFS secure auth is enabled but not HBase security?  If not, then that
part seems okay as it is.

The secure bulk load implementation seems to assume both HDFS security and HBase security
are enabled (SecureBulkLoadEndpoint for example assumes that AccessController is enabled).
 So it seems okay to leave that bit of LoadIncrementalHFiles as it is, unless you see problems
from the Oozie case you're tackling.

> MR jobs are not working if started by a delegated user
> ------------------------------------------------------
>                 Key: HBASE-9890
>                 URL: https://issues.apache.org/jira/browse/HBASE-9890
>             Project: HBase
>          Issue Type: Bug
>          Components: mapreduce, security
>    Affects Versions: 0.98.0, 0.94.12, 0.96.0
>            Reporter: Matteo Bertozzi
>            Assignee: Matteo Bertozzi
>             Fix For: 0.98.0, 0.94.13, 0.96.1
>         Attachments: HBASE-9890-94-v0.patch, HBASE-9890-v0.patch
> If Map-Reduce jobs are started with by a proxy user that has already the delegation tokens,
we get an exception on "obtain token" since the proxy user doesn't have the kerberos auth.
> For example:
>  * If we use oozie to execute RowCounter - oozie will get the tokens required (HBASE_AUTH_TOKEN)
and it will start the RowCounter. Once the RowCounter tries to obtain the token, it will get
an exception.
>  * If we use oozie to execute LoadIncrementalHFiles - oozie will get the tokens required
(HDFS_DELEGATION_TOKEN) and it will start the LoadIncrementalHFiles. Once the LoadIncrementalHFiles
tries to obtain the token, it will get an exception.
> {code}
>  org.apache.hadoop.hbase.security.AccessDeniedException: Token generation only allowed
for Kerberos authenticated clients
>     at org.apache.hadoop.hbase.security.token.TokenProvider.getAuthenticationToken(TokenProvider.java:87)
> {code}
> {code}
> org.apache.hadoop.ipc.RemoteException(java.io.IOException): Delegation Token can be issued
only with kerberos or web authentication
> 	at org.apache.hadoop.hdfs.DFSClient.getDelegationToken(DFSClient.java:783)
> 	at org.apache.hadoop.hdfs.DistributedFileSystem.getDelegationToken(DistributedFileSystem.java:868)
> 	at org.apache.hadoop.fs.FileSystem.collectDelegationTokens(FileSystem.java:509)
> 	at org.apache.hadoop.fs.FileSystem.addDelegationTokens(FileSystem.java:487)
> 	at org.apache.hadoop.mapreduce.security.TokenCache.obtainTokensForNamenodesInternal(TokenCache.java:130)
> 	at org.apache.hadoop.mapreduce.security.TokenCache.obtainTokensForNamenodesInternal(TokenCache.java:111)
> 	at org.apache.hadoop.mapreduce.security.TokenCache.obtainTokensForNamenodes(TokenCache.java:85)
> 	at org.apache.hadoop.filecache.TrackerDistributedCacheManager.getDelegationTokens(TrackerDistributedCacheManager.java:949)
> 	at org.apache.hadoop.mapred.JobClient.copyAndConfigureFiles(JobClient.java:854)
> 	at org.apache.hadoop.mapred.JobClient.copyAndConfigureFiles(JobClient.java:743)
> 	at org.apache.hadoop.mapred.JobClient.submitJobInternal(JobClient.java:945)
> 	at org.apache.hadoop.mapreduce.Job.submit(Job.java:566)
> 	at org.apache.hadoop.mapreduce.Job.waitForCompletion(Job.java:596)
> 	at org.apache.hadoop.hbase.mapreduce.RowCounter.main(RowCounter.java:173)
> {code}

This message was sent by Atlassian JIRA

View raw message