hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Matteo Bertozzi (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-14865) Support passing multiple QOPs to SaslClient/Server via hbase.rpc.protection
Date Wed, 06 Jan 2016 00:44:39 GMT

    [ https://issues.apache.org/jira/browse/HBASE-14865?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15084454#comment-15084454
] 

Matteo Bertozzi commented on HBASE-14865:
-----------------------------------------

for me the patch on master passes, but the one on branch-1 fail with both jdk 1.7.0_80-b15
and 1.8.0_66-b17
{noformat}
  TestSecureIPC.testSaslNoCommonQop 
Expected: (an instance of javax.security.sasl.SaslException and exception with message a string
containing "No common protection layer between client and server")
     but: an instance of javax.security.sasl.SaslException <GSSException: No valid credentials
provided (Mechanism level: Failed to find any Kerberos tgt)> is a org.ietf.jgss.GSSException
Stacktrace was: GSSException: No valid credentials provided (Mechanism level: Failed to find
any Kerberos tgt)
	at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:147)
	at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:121)
	at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:187)
	at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:223)
	at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:212)
	at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
	at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:193)
	at org.apache.hadoop.hbase.security.HBaseSaslRpcClient.saslConnect(HBaseSaslRpcClient.java:181)
	at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.setupSaslConnection(RpcClientImpl.java:617)
	at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.access$700(RpcClientImpl.java:162)
	at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection$2.run(RpcClientImpl.java:743)
	at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection$2.run(RpcClientImpl.java:740)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAs(Subject.java:415)
	at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1614)
	at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.setupIOstreams(RpcClientImpl.java:740)
	at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.writeRequest(RpcClientImpl.java:902)
	at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.tracedWriteRequest(RpcClientImpl.java:871)
	at org.apache.hadoop.hbase.ipc.RpcClientImpl.call(RpcClientImpl.java:1232)
	at org.apache.hadoop.hbase.ipc.AbstractRpcClient.callBlockingMethod(AbstractRpcClient.java:221)
	at org.apache.hadoop.hbase.ipc.AbstractRpcClient$BlockingRpcChannelImplementation.callBlockingMethod(AbstractRpcClient.java:326)
	at org.apache.hadoop.hbase.ipc.protobuf.generated.TestDelayedRpcProtos$TestDelayedService$BlockingStub.test(TestDelayedRpcProtos.java:1115)
	at org.apache.hadoop.hbase.ipc.TestDelayedRpc$TestThread.run(TestDelayedRpc.java:277)
{noformat}

> Support passing multiple QOPs to SaslClient/Server via hbase.rpc.protection
> ---------------------------------------------------------------------------
>
>                 Key: HBASE-14865
>                 URL: https://issues.apache.org/jira/browse/HBASE-14865
>             Project: HBase
>          Issue Type: Improvement
>          Components: security
>            Reporter: Appy
>            Assignee: Appy
>         Attachments: HBASE-14865-branch-1.2.patch, HBASE-14865-branch-1.patch, HBASE-14865-branch-1.patch,
HBASE-14865-master-v2.patch, HBASE-14865-master-v3.patch, HBASE-14865-master-v4.patch, HBASE-14865-master-v5.patch,
HBASE-14865-master-v6.patch, HBASE-14865-master-v7.patch, HBASE-14865-master.patch
>
>
> Currently, we can set the value of hbase.rpc.protection to one of authentication/integrity/privacy.
It is the used to set {{javax.security.sasl.qop}} in SaslUtil.java.
> The problem is, if a cluster wants to switch from one qop to another, it'll have to take
a downtime. Rolling upgrade will create a situation where some nodes have old value and some
have new, which'll prevent any communication between them. There will be similar issue when
clients will try to connect.
> {{javax.security.sasl.qop}} can take in a list of QOP in preferences order. So a transition
from qop1 to qop2 can be easily done like this
> "qop1" --> "qop2,qop1" --> rolling restart --> "qop2" --> rolling restart
> Need to change hbase.rpc.protection to accept a list too.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message