hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Matteo Bertozzi (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HBASE-15622) Superusers does not consider the keytab credentials
Date Fri, 08 Apr 2016 22:05:25 GMT
Matteo Bertozzi created HBASE-15622:
---------------------------------------

             Summary: Superusers does not consider the keytab credentials
                 Key: HBASE-15622
                 URL: https://issues.apache.org/jira/browse/HBASE-15622
             Project: HBase
          Issue Type: Bug
          Components: security
    Affects Versions: 0.98.16.1, 1.1.4, 1.2.0, 2.0.0, 1.3.0
            Reporter: Matteo Bertozzi


After HBASE-13755 the superuser we add by default (the process running hbase) does not take
in consideration the keytab credential.

We have an env with the process user being hbase and the keytab being hbasefoo.
from Superusers TRACE I see, the hbase being picked up
{noformat}
TRACE Superusers: Current user name is hbase
{noformat}
from the RS audit I see the hbasefoo making requests
{noformat}
"allowed":true,"serviceName":"HBASE-1","username":"hbasefoo...
{noformat}

looking at the code in HRegionServer we do 
{code}
public HRegionServer(Configuration conf, CoordinatedStateManager csm)
      throws IOException {
   ...
    this.userProvider = UserProvider.instantiate(conf);
    Superusers.initialize(conf);
   ..
   // login the server principal (if using secure Hadoop)
    login(userProvider, hostName);
  ..
{code}
Before HBASE-13755 we were initializing the super user in the ACL coprocessor, so after the
login. but now we do that before the login.

I'm not sure if we can just move the Superuser.initialize() after the login [~mantonov]?



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message