hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Matteo Bertozzi (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HBASE-15622) Superusers does not consider the keytab credentials
Date Thu, 14 Apr 2016 21:41:25 GMT

     [ https://issues.apache.org/jira/browse/HBASE-15622?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Matteo Bertozzi updated HBASE-15622:
------------------------------------
    Status: Patch Available  (was: Open)

> Superusers does not consider the keytab credentials
> ---------------------------------------------------
>
>                 Key: HBASE-15622
>                 URL: https://issues.apache.org/jira/browse/HBASE-15622
>             Project: HBase
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 0.98.16.1, 1.1.4, 1.2.0, 2.0.0, 1.3.0
>            Reporter: Matteo Bertozzi
>            Priority: Critical
>             Fix For: 2.0.0, 1.3.0, 0.98.19, 1.1.5, 1.2.2
>
>         Attachments: HBASE-15622-v0.patch
>
>
> After HBASE-13755 the superuser we add by default (the process running hbase) does not
take in consideration the keytab credential.
> We have an env with the process user being hbase and the keytab being hbasefoo.
> from Superusers TRACE I see, the hbase being picked up
> {noformat}
> TRACE Superusers: Current user name is hbase
> {noformat}
> from the RS audit I see the hbasefoo making requests
> {noformat}
> "allowed":true,"serviceName":"HBASE-1","username":"hbasefoo...
> {noformat}
> looking at the code in HRegionServer we do 
> {code}
> public HRegionServer(Configuration conf, CoordinatedStateManager csm)
>       throws IOException {
>    ...
>     this.userProvider = UserProvider.instantiate(conf);
>     Superusers.initialize(conf);
>    ..
>    // login the server principal (if using secure Hadoop)
>     login(userProvider, hostName);
>   ..
> {code}
> Before HBASE-13755 we were initializing the super user in the ACL coprocessor, so after
the login. but now we do that before the login.
> I'm not sure if we can just move the Superuser.initialize() after the login [~mantonov]?



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message