hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Appy (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-14865) Support passing multiple QOPs to SaslClient/Server via hbase.rpc.protection
Date Thu, 14 Jan 2016 03:29:39 GMT

    [ https://issues.apache.org/jira/browse/HBASE-14865?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15097526#comment-15097526
] 

Appy commented on HBASE-14865:
------------------------------

So debugging the errors seen by matteo, here are the details:
The tests pass java version 1.7.0_75 but fails for java 1.7.0_80 and Java 8.
It's because [these 3 lines of compatibility code|http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/7u40-b43/com/sun/security/auth/module/Krb5LoginModule.java#1067]
were removed somewhere in between those versions. As a result of which UGI in hadoop-common
makes wrong conclusion [here|https://github.com/apache/hadoop/blob/branch-2.5.2/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java#L583]
that there is no keytab and fails to authenticate. The bug in UGI was fixed by [HADOOP-11287|https://github.com/apache/hadoop/commit/0ee41612bb237331fc7130a6fb8b5e3366fcc221]
but only exists in 2.7.0+. So using java 1.7.0_80+ with hadoop-common <= 2.6.x, you'll
definitely see this error.
QA didn't fail because master uses hadoop-common 2.7.0+.
The issue was always there but didn't surface earlier since all tests were only testing code
paths for correct execution, but none for failures, until this patch added some.
If there is a hadoop release of 2.5.x or 2.6.x, we can ask them to backport the fix. There's
really nothing else we can do here (except a release note to notify users).
[~andrew.purtell@gmail.com], can you ptal at my assessment.



> Support passing multiple QOPs to SaslClient/Server via hbase.rpc.protection
> ---------------------------------------------------------------------------
>
>                 Key: HBASE-14865
>                 URL: https://issues.apache.org/jira/browse/HBASE-14865
>             Project: HBase
>          Issue Type: Improvement
>          Components: security
>            Reporter: Appy
>            Assignee: Appy
>         Attachments: HBASE-14865-branch-1.2.patch, HBASE-14865-branch-1.patch, HBASE-14865-branch-1.patch,
HBASE-14865-master-v2.patch, HBASE-14865-master-v3.patch, HBASE-14865-master-v4.patch, HBASE-14865-master-v5.patch,
HBASE-14865-master-v6.patch, HBASE-14865-master-v7.patch, HBASE-14865-master.patch
>
>
> Currently, we can set the value of hbase.rpc.protection to one of authentication/integrity/privacy.
It is the used to set {{javax.security.sasl.qop}} in SaslUtil.java.
> The problem is, if a cluster wants to switch from one qop to another, it'll have to take
a downtime. Rolling upgrade will create a situation where some nodes have old value and some
have new, which'll prevent any communication between them. There will be similar issue when
clients will try to connect.
> {{javax.security.sasl.qop}} can take in a list of QOP in preferences order. So a transition
from qop1 to qop2 can be easily done like this
> "qop1" --> "qop2,qop1" --> rolling restart --> "qop2" --> rolling restart
> Need to change hbase.rpc.protection to accept a list too.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message