hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gary Helmling (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-14580) Make the HBaseMiniCluster compliant with Kerberos
Date Fri, 09 Oct 2015 23:34:05 GMT

    [ https://issues.apache.org/jira/browse/HBASE-14580?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14951399#comment-14951399
] 

Gary Helmling commented on HBASE-14580:
---------------------------------------

{code}
        "kerberos".equalsIgnoreCase(c.get("hbase.security.authentication", null))) {
{code}

Instead of hard-coding the config values, can you use {{User.isHBaseSecurityEnabled(c)}}?

The username suffixes were fed into the data dirs used by each DN/RS's for a "distributed"
minicluster setup (or at least they did way back when I last looked at HBaseTestingUtility).
 So, as I understand it, that would not be an issue here are Kerberos would only be supported
with a single node setup?

> Make the HBaseMiniCluster compliant with Kerberos
> -------------------------------------------------
>
>                 Key: HBASE-14580
>                 URL: https://issues.apache.org/jira/browse/HBASE-14580
>             Project: HBase
>          Issue Type: Improvement
>          Components: security, test
>    Affects Versions: 2.0.0
>            Reporter: Nicolas Liochon
>            Assignee: Nicolas Liochon
>             Fix For: 2.0.0
>
>         Attachments: patch-14580.v1.patch
>
>
> Whne using MiniKDC and the minicluster in a unit test, there is a conflict causeed by
HBaseTestingUtility:
> {code}
>   public static User getDifferentUser(final Configuration c,
>     final String differentiatingSuffix)
>   throws IOException {
>    // snip
>     String username = User.getCurrent().getName() +
>       differentiatingSuffix; <==================== problem here
>     User user = User.createUserForTesting(c, username,
>         new String[]{"supergroup"});
>     return user;
>   }
> {code}
> This creates users like securedUser/localhost@EXAMPLE.COM.hfs.0, and this does not work.
> My fix is to return the current user when Kerberos is set. I don't think that there is
another option (any other opinion?). However this user is not in a group so we have logs like
'WARN  [IPC Server handler 9 on 61366] security.UserGroupInformation (UserGroupInformation.java:getGroupNames(1521))
- No groups available for user securedUser' I'm not sure of its impact. [~apurtell], what
do you think?



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message