Uploaded image for project: 'HBase'
  1. HBase
  2. HBASE-19318

MasterRpcServices#getSecurityCapabilities explicitly checks for the HBase AccessController implementation

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.0.0-beta-1, 2.0.0
    • Component/s: master, security
    • Labels:
      None
    • Hadoop Flags:
      Reviewed
    • Release Note:
      Fixes an issue with loading customer coprocessor endpoint implementations inside of the HBase Master which breaks Apache Ranger.

      Description

      Sharmadha brought a failure to my attention trying to use Ranger with HBase 2.0 where the grant command was erroring out unexpectedly. The cluster had the Ranger-specific coprocessors deployed, per what was previously working on the HBase 1.1 line.

      After some digging, I found that the the Master is actually making a check explicitly for a Coprocessor that has the name org.apache.hadoop.hbase.security.access.AccessController (short name or full name), instead of looking for a deployed coprocessor which can be assigned to AccessController (which is what Ranger does). We have the CoprocessorHost methods to do the latter already implemented; it strikes me that we just accidentally used the wrong method in MasterRpcServices.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                elserj Josh Elser
                Reporter:
                ssainath Sharmadha Sainath
              • Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: