hbase-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Parth Brahmbhatt <pbrahmbh...@hortonworks.com>
Subject Re: getting delegation token for hbase
Date Fri, 15 Aug 2014 20:00:08 GMT
Hey Gary,

Thanks for the response and I realized that so I changed my code to following:

       //  if(UserGroupInformation.isSecurityEnabled) {
+            //      Configuration hbaseConf = HBaseConfiguration.create();
+            //      UserGroupInformation.setConfiguration(hbaseConf);
+            //      UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
+            //      UserGroupInformation proxyUser = UserGroupInformation.createProxyUser(topologySubmitterUser,
ugi);
+            //
+            //      User u = User.create(ugi);
+            //      if(u.isHBaseSecurityEnabled()) {
+            //             TokenUtil.obtainAndCacheToken(hbaseConf, proxyUser);
+            //      }
+            // }
+            // and then return the credential object from the proxyUser.getCredentials()
as a bytearray.

I don’t think we need to support older versions of HBase. However there is one thing that
still bugs me. How does token renewal work here? Generally in HDFS I have seen that you have
to pass in the renewer user as an argument when you obtain a token. Here as renew user is
not passed I am guessing it’s either some hardcoded Hbase value, or its derived from the
UGI. 

Thanks
Parth

On Aug 15, 2014, at 12:50 PM, Gary Helmling <ghelmling@gmail.com> wrote:

> Hi Parth,
> 
> The code that you outline here would just return credentials containing
> tokens that have already been obtained for the given user.
> 
> As I understand it, what you are trying to do is have Storm do secure
> impersonation in order to obtain a delegation token on behalf of another
> user, which the proceses running on worker nodes will be able to use to
> authenticate to HBase as that user.  Is this correct?
> 
> If so, then the next question is what versions of HBase do you want to
> support?  If you only need to support HBase 0.96+ and current versions of
> 0.94 (0.94.19+), then you can make use of the
> org.apache.hadoop.hbase.security.token.TokenUtil class.  You can call
> TokenUtil.obtainToken(Configuration) to obtain a delegation token for the
> current user.  Or you can call TokenUtil.obtainAndCacheToken(Configuration,
> UserGroupInformation) to obtain a token for a specific UGI and add it to
> the UGI's credentials.
> 
> If you really need to support older versions of HBase 0.94 (pre 0.94.19),
> then you will need to add some reflection around this, since old versions
> of 0.94 did not include the security classes (including TokenUtil) by
> default.  This is why the User class exposes it's own obtainToken...()
> methods to provide the reflection support.  However, I'd recommend that you
> avoid this and just stick with current versions of HBase as described above.
> 
> --gh
> 
> 
> 
> On Wed, Aug 13, 2014 at 12:36 PM, Parth Brahmbhatt <
> pbrahmbhatt@hortonworks.com> wrote:
> 
>> Hi,
>> 
>> I am working on https://issues.apache.org/jira/browse/STORM-444. The task
>> is very similar to https://issues.apache.org/jira/browse/OOZIE-961.
>> Basically in storm secure mode we would like to fetch topology/job
>> submitter user’s credentials on behalf of them on our master node and auto
>> populate these credentials on worker nodes. However I noticed that the only
>> allowed methods supported by User class requires either a jobConf or a
>> combination of kind and service (not real sure what those are). We do not
>> have any job configuration because the user is probably just trying to talk
>> to Hbase outside of any  map reduce context. The questions I have are
>> 
>> Is there any value in adding a user.getDelegationToken that just returns
>> all the tokens?
>> In absence of the above API, given User class is just a wrapper around the
>> UserGroupInformation class should the following be sufficient?
>>            if(UserGroupInformation.isSecurityEnabled) {
>>                  Configuration hbaseConf = HBaseConfiguration.create();
>>                  UserGroupInformation.setConfiguration(hbaseConf);
>>                  UserGroupInformation ugi =
>> UserGroupInformation.getCurrentUser();
>>                  UserGroupInformation proxyUser =
>> UserGroupInformation.createProxyUser(topologyOrJobSubmitterUser, ugi);
>>                  User u = User.create(ugi);
>>                  if(u.isHBaseSecurityEnabled()) {
>>                         Credentials credentials=
>> proxyUser.getCredentials();
>>                  }
>>            }
>>            return credentails;
>> 
>> Appreciate the help.
>> 
>> Thanks
>> Parth
>> --
>> CONFIDENTIALITY NOTICE
>> NOTICE: This message is intended for the use of the individual or entity to
>> which it is addressed and may contain information that is confidential,
>> privileged and exempt from disclosure under applicable law. If the reader
>> of this message is not the intended recipient, you are hereby notified that
>> any printing, copying, dissemination, distribution, disclosure or
>> forwarding of this communication is strictly prohibited. If you have
>> received this communication in error, please contact the sender immediately
>> and delete it from your system. Thank You.
>> 


-- 
CONFIDENTIALITY NOTICE
NOTICE: This message is intended for the use of the individual or entity to 
which it is addressed and may contain information that is confidential, 
privileged and exempt from disclosure under applicable law. If the reader 
of this message is not the intended recipient, you are hereby notified that 
any printing, copying, dissemination, distribution, disclosure or 
forwarding of this communication is strictly prohibited. If you have 
received this communication in error, please contact the sender immediately 
and delete it from your system. Thank You.

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message