HBase
  1. HBase
  2. HBASE-4475

When running an embedded ThriftServer, use User.runAs() to allow it to run as a separate principal from the embedding region server

    Details

    • Type: Improvement Improvement
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: security, Thrift
    • Labels:
      None

      Description

      As discussed over in HBASE-4460, the current approach to ThriftServer authentication (provided in HBASE-4099) will not work in an embedded context, since the region server will already does a login for the process.

      We could make the embedded thrift server still run as a separate user, though, by doing something like the following:

      • add a User.loginAndReturnUser() variant that delegates to UserGroupInformation.loginUserFromKeytabAndReturnUGI(), then returns a wrapping User instance
      • call this method on startup for the embedded thrift server to get the thrift user instance
      • use User.runAs() to execute the body of HRegionThriftServer.run() as the logged in thrift user

        Issue Links

          Activity

          There are no comments yet on this issue.

            People

            • Assignee:
              Unassigned
              Reporter:
              Gary Helmling
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:

                Development