Uploaded image for project: 'HBase'
  1. HBase
  2. HBASE-15622

Superusers does not consider the keytab credentials

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Critical
    • Resolution: Fixed
    • 1.2.0, 1.3.0, 1.1.4, 0.98.16.1, 2.0.0
    • 1.3.0, 0.98.19, 1.1.5, 1.2.2, 2.0.0
    • security
    • None

    Description

      After HBASE-13755 the superuser we add by default (the process running hbase) does not take in consideration the keytab credential.

      We have an env with the process user being hbase and the keytab being hbasefoo.
      from Superusers TRACE I see, the hbase being picked up

      TRACE Superusers: Current user name is hbase
      

      from the RS audit I see the hbasefoo making requests

      "allowed":true,"serviceName":"HBASE-1","username":"hbasefoo...
      

      looking at the code in HRegionServer we do

      public HRegionServer(Configuration conf, CoordinatedStateManager csm)
            throws IOException {
         ...
          this.userProvider = UserProvider.instantiate(conf);
          Superusers.initialize(conf);
         ..
         // login the server principal (if using secure Hadoop)
          login(userProvider, hostName);
        ..
      

      Before HBASE-13755 we were initializing the super user in the ACL coprocessor, so after the login. but now we do that before the login.

      I'm not sure if we can just move the Superuser.initialize() after the login mantonov?

      Attachments

        1. HBASE-15622-v0.patch
          1 kB
          Matteo Bertozzi

        Activity

          People

            mbertozzi Matteo Bertozzi
            mbertozzi Matteo Bertozzi
            Votes:
            0 Vote for this issue
            Watchers:
            9 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: