Uploaded image for project: 'HBase'
  1. HBase
  2. HBASE-17827

Client tools relying on AuthUtil.getAuthChore() break credential cache login

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Critical
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: canary, security
    • Labels:
      None

      Description

      Client tools, such as Canary, which make use of keytab based logins with AuthUtil.getAuthChore() do not allow any way to continue without a keytab-based login when security is enabled. Currently, when security is enabled and the configuration lacks hbase.client.keytab.file, these tools would fail with:

      ERROR hbase.AuthUtil: Error while trying to perform the initial login: Running in secure mode, but config doesn't have a keytab
      java.io.IOException: Running in secure mode, but config doesn't have a keytab
              at org.apache.hadoop.security.SecurityUtil.login(SecurityUtil.java:239)
              at org.apache.hadoop.hbase.security.User$SecureHadoopUser.login(User.java:420)
              at org.apache.hadoop.hbase.security.User.login(User.java:258)
              at org.apache.hadoop.hbase.security.UserProvider.login(UserProvider.java:197)
              at org.apache.hadoop.hbase.AuthUtil.getAuthChore(AuthUtil.java:98)
              at org.apache.hadoop.hbase.tool.Canary.run(Canary.java:589)
              at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:70)
              at org.apache.hadoop.hbase.tool.Canary.main(Canary.java:1327)
      Exception in thread "main" java.io.IOException: Running in secure mode, but config doesn't have a keytab
              at org.apache.hadoop.security.SecurityUtil.login(SecurityUtil.java:239)
              at org.apache.hadoop.hbase.security.User$SecureHadoopUser.login(User.java:420)
              at org.apache.hadoop.hbase.security.User.login(User.java:258)
              at org.apache.hadoop.hbase.security.UserProvider.login(UserProvider.java:197)
              at org.apache.hadoop.hbase.AuthUtil.getAuthChore(AuthUtil.java:98)
              at org.apache.hadoop.hbase.tool.Canary.run(Canary.java:589)
              at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:70)
              at org.apache.hadoop.hbase.tool.Canary.main(Canary.java:1327)
      

      These tools should still work with the default credential-cache login, at least when a client keytab is not configured.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              ghelmling Gary Helmling
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated: