[HBASE-15622] Superusers does not consider the keytab credentials - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Critical
Resolution: Fixed
Affects Version/s: 1.2.0, 1.3.0, 1.1.4, 0.98.16.1, 2.0.0
Fix Version/s: 1.3.0, 0.98.19, 1.1.5, 1.2.2, 2.0.0
Component/s: security
Labels:
None

Description

After ~~HBASE-13755~~ the superuser we add by default (the process running hbase) does not take in consideration the keytab credential.

We have an env with the process user being hbase and the keytab being hbasefoo.
from Superusers TRACE I see, the hbase being picked up

TRACE Superusers: Current user name is hbase

from the RS audit I see the hbasefoo making requests

"allowed":true,"serviceName":"HBASE-1","username":"hbasefoo...

looking at the code in HRegionServer we do

public HRegionServer(Configuration conf, CoordinatedStateManager csm)
      throws IOException {
   ...
    this.userProvider = UserProvider.instantiate(conf);
    Superusers.initialize(conf);
   ..
   // login the server principal (if using secure Hadoop)
    login(userProvider, hostName);
  ..

Before ~~HBASE-13755~~ we were initializing the super user in the ACL coprocessor, so after the login. but now we do that before the login.

I'm not sure if we can just move the Superuser.initialize() after the login mantonov?

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

HBASE-15622-v0.patch
14/Apr/16 21:40
1 kB
Matteo Bertozzi

Activity

People

Assignee:: Matteo Bertozzi

Reporter:: Matteo Bertozzi

Votes:: 0 Vote for this issue

Watchers:: 9 Start watching this issue

Dates

Created:: 08/Apr/16 22:04

Updated:: 16/Apr/16 17:19

Resolved:: 15/Apr/16 15:43