Uploaded image for project: 'HBase'
  1. HBase
  2. HBASE-15145

HBCK and Replication should authenticate to zookepeer using server principal

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.2.0, 1.3.0, 1.1.4, 0.98.18, 2.0.0
    • Component/s: None
    • Labels:
      None
    • Hadoop Flags:
      Reviewed
    • Release Note:
      Hide
      Added a new command line argument: --auth-as-server to enable authenticating to ZooKeeper as the HBase Server principal. This is required for secure clusters for doing replication operations like add_peer, list_peers, etc until HBASE-11392 is fixed. This advanced option can also be used for manually fixing secure znodes.

      Commands can now be invoked like:
      hbase --auth-as-server shell
      hbase --auth-as-server zkcli

      HBCK in secure setup also needs to authenticate to ZK using servers principals.This is turned on by default (no need to pass additional argument).

      When authenticating as server, HBASE_SERVER_JAAS_OPTS is concatenated to HBASE_OPTS if defined in hbase-env.sh. Otherwise, HBASE_REGIONSERVER_OPTS is concatenated.
      Show
      Added a new command line argument: --auth-as-server to enable authenticating to ZooKeeper as the HBase Server principal. This is required for secure clusters for doing replication operations like add_peer, list_peers, etc until HBASE-11392 is fixed. This advanced option can also be used for manually fixing secure znodes. Commands can now be invoked like: hbase --auth-as-server shell hbase --auth-as-server zkcli HBCK in secure setup also needs to authenticate to ZK using servers principals.This is turned on by default (no need to pass additional argument). When authenticating as server, HBASE_SERVER_JAAS_OPTS is concatenated to HBASE_OPTS if defined in hbase-env.sh. Otherwise, HBASE_REGIONSERVER_OPTS is concatenated.

      Description

      In secure clusters, we protect znodes with the server principal in zk. However, if a user wants to add a replication peer or run HBCK, then she will get Auth exception. This was not a problem due to an earlier bug.

      For replication, the long term fix is HBASE-11392. However, we should still have a way to launch zkcli with the server principals for manual inspection / manipulation.

      HBCK should always assume the server principals.

      Thanks Koelli Mungee for reporting this.

        Attachments

        1. hbase-15145_v1.patch
          1 kB
          Enis Soztutar
        2. hbase-15145_v2.patch
          1 kB
          Enis Soztutar

          Activity

            People

            • Assignee:
              enis Enis Soztutar
              Reporter:
              enis Enis Soztutar
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: