Uploaded image for project: 'HBase'
  1. HBase
  2. HBASE-15622

Superusers does not consider the keytab credentials

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 1.2.0, 1.3.0, 1.1.4, 0.98.16.1, 2.0.0
    • Fix Version/s: 1.3.0, 0.98.19, 1.1.5, 1.2.2, 2.0.0
    • Component/s: security
    • Labels:
      None

      Description

      After HBASE-13755 the superuser we add by default (the process running hbase) does not take in consideration the keytab credential.

      We have an env with the process user being hbase and the keytab being hbasefoo.
      from Superusers TRACE I see, the hbase being picked up

      TRACE Superusers: Current user name is hbase
      

      from the RS audit I see the hbasefoo making requests

      "allowed":true,"serviceName":"HBASE-1","username":"hbasefoo...
      

      looking at the code in HRegionServer we do

      public HRegionServer(Configuration conf, CoordinatedStateManager csm)
            throws IOException {
         ...
          this.userProvider = UserProvider.instantiate(conf);
          Superusers.initialize(conf);
         ..
         // login the server principal (if using secure Hadoop)
          login(userProvider, hostName);
        ..
      

      Before HBASE-13755 we were initializing the super user in the ACL coprocessor, so after the login. but now we do that before the login.

      I'm not sure if we can just move the Superuser.initialize() after the login Mikhail Antonov?

        Attachments

        1. HBASE-15622-v0.patch
          1 kB
          Matteo Bertozzi

          Activity

            People

            • Assignee:
              mbertozzi Matteo Bertozzi
              Reporter:
              mbertozzi Matteo Bertozzi
            • Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: