hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ted Yu (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-17439) Make authentication Token retrieval amenable to coprocessor
Date Wed, 11 Jan 2017 02:34:58 GMT

    [ https://issues.apache.org/jira/browse/HBASE-17439?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15816916#comment-15816916
] 

Ted Yu commented on HBASE-17439:
--------------------------------

Take a look at SecureBulkLoadEndpoint#secureBulkLoadHFiles which calls ugi.doAs() where ugi
is the request user.
preCommitStoreFile() would record the path of bulk loaded file in some table - hence the need
for auth token.




> Make authentication Token retrieval amenable to coprocessor
> -----------------------------------------------------------
>
>                 Key: HBASE-17439
>                 URL: https://issues.apache.org/jira/browse/HBASE-17439
>             Project: HBase
>          Issue Type: Improvement
>          Components: Coprocessors, security
>            Reporter: Ted Yu
>
> Here is snippet of stack trace from HBASE-17435:
> {code}
>         at org.apache.hadoop.hbase.backup.BackupObserver.preCommitStoreFile(BackupObserver.java:89)
>         at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$61.call(RegionCoprocessorHost.java:1494)
>         at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$RegionOperation.call(RegionCoprocessorHost.java:1660)
>         at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1734)
>         at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1692)
>         at org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.preCommitStoreFile(RegionCoprocessorHost.java:1490)
>         at org.apache.hadoop.hbase.regionserver.HRegion.bulkLoadHFiles(HRegion.java:5512)
>         at org.apache.hadoop.hbase.security.access.SecureBulkLoadEndpoint$1.run(SecureBulkLoadEndpoint.java:293)
>         at org.apache.hadoop.hbase.security.access.SecureBulkLoadEndpoint$1.run(SecureBulkLoadEndpoint.java:276)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at javax.security.auth.Subject.doAs(Subject.java:356)
>         at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1704)
>         at org.apache.hadoop.hbase.security.access.SecureBulkLoadEndpoint.secureBulkLoadHFiles(SecureBulkLoadEndpoint.java:276)
> {code}
> The ugi obtained from RPC on the server side does not contain required Kerberos credentials
to access hbase table. Hence the need to pass authentication Token from region server onto
the ugi
> In the course of solving HBASE-17435, [~jerryhe] and I noticed that it is cumbersome
for other coprocessor (such as SecureBulkLoadEndpoint) to retrieve authentication Token from
region server.
> Currently a Connection is needed to communicate with TokenProvider. Care is needed not
to introduce dead lock on the server side.
> This JIRA is to investigate feasibility of bypassing Connection / TokenProvider in the
retrieval of authentication Token for custom coprocessor. This involves some refactoring around
AuthenticationTokenSecretManager.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message