Details
-
Bug
-
Status: Resolved
-
Critical
-
Resolution: Fixed
-
2.1.0
-
None
Description
In a newly installed cluster with security and ranger, I cannot find hbase.coprocessor.regionserver.classes configured which is needed to protect some of the direct RPC's to the regionserver (stopping regionserver is an example).
In a proper cluster all three properties should be configured:
<property> <name>hbase.coprocessor.region.classes</name> <value>org.apache.hadoop.hbase.security.token.TokenProvider, org.apache.hadoop.hbase.security.access.AccessController,org.apache.hadoop.hbase.security.access.SecureBulkLoadEndpoint</value> </property> <property> <name>hbase.coprocessor.master.classes</name> <value>org.apache.hadoop.hbase.security.access.AccessController</value> </property> <property> <name>hbase.coprocessor.regionserver.classes</name> <value>org.apache.hadoop/hbase.security.access.AccessController</value> </property>
In stackadvisor, I can see that we are configuring hbase.coprocessor.regionserver.classes, but somehow in a newly installed cluster, I don't find the setting in hbase-site.xml.
There are a couple of action items from this jira:
- Make sure that hbase.coprocessor.regionserver.classes is configured properly for secure clusters.
- reading the stackadvisor code, it can be improved so that if the customer has configured other coprocessors, they are not lost. The logic for hbase.coprocessor.regionserver.classes and hbase.coprocessor.region.classes and hbase.coprocessor.master.classes should be something like this:
- get the list of co-processors and put them to a set.
- If security is enabled, then add either ranger or hbase native AC coprocessors to the set
- Else remove the AC and ranger AC coprocessors from the list
- write the configurations to hbase-site.
Attachments
Attachments
Issue Links
- supercedes
-
-
- Resolved
-
- links to
