hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ted Yu (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-14865) Support passing multiple QOPs to SaslClient/Server via hbase.rpc.protection
Date Thu, 14 Jan 2016 04:05:39 GMT

    [ https://issues.apache.org/jira/browse/HBASE-14865?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15097551#comment-15097551
] 

Ted Yu commented on HBASE-14865:
--------------------------------

With Java 1.7.0_60 , TestSecureIPC fails running against hadoop 2.7.0 :
{code}
testRpcCallWithEnabledKerberosSaslAuth(org.apache.hadoop.hbase.security.TestSecureIPC)  Time
elapsed: 0.049 sec  <<< ERROR!
java.io.IOException: Login failure for hbase/localhost@EXAMPLE.COM from keytab /Users/tyu/trunk/hbase-server/target/test-data/76d0c754-8dca-4c88-9933-b5a77646a750/keytab:
javax.security.auth.login.LoginException: Null realm name (601)
	at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:962)
	at org.apache.hadoop.hbase.security.AbstractTestSecureIPC.loginKerberosPrincipal(AbstractTestSecureIPC.java:180)
	at org.apache.hadoop.hbase.security.AbstractTestSecureIPC.setUpTest(AbstractTestSecureIPC.java:112)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:606)
	at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:50)
	at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
	at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:47)
	at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:24)
	at org.junit.rules.ExpectedException$ExpectedExceptionStatement.evaluate(ExpectedException.java:239)
{code}

> Support passing multiple QOPs to SaslClient/Server via hbase.rpc.protection
> ---------------------------------------------------------------------------
>
>                 Key: HBASE-14865
>                 URL: https://issues.apache.org/jira/browse/HBASE-14865
>             Project: HBase
>          Issue Type: Improvement
>          Components: security
>            Reporter: Appy
>            Assignee: Appy
>         Attachments: HBASE-14865-branch-1.2.patch, HBASE-14865-branch-1.patch, HBASE-14865-branch-1.patch,
HBASE-14865-master-v2.patch, HBASE-14865-master-v3.patch, HBASE-14865-master-v4.patch, HBASE-14865-master-v5.patch,
HBASE-14865-master-v6.patch, HBASE-14865-master-v7.patch, HBASE-14865-master.patch
>
>
> Currently, we can set the value of hbase.rpc.protection to one of authentication/integrity/privacy.
It is the used to set {{javax.security.sasl.qop}} in SaslUtil.java.
> The problem is, if a cluster wants to switch from one qop to another, it'll have to take
a downtime. Rolling upgrade will create a situation where some nodes have old value and some
have new, which'll prevent any communication between them. There will be similar issue when
clients will try to connect.
> {{javax.security.sasl.qop}} can take in a list of QOP in preferences order. So a transition
from qop1 to qop2 can be easily done like this
> "qop1" --> "qop2,qop1" --> rolling restart --> "qop2" --> rolling restart
> Need to change hbase.rpc.protection to accept a list too.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message