Uploaded image for project: 'HBase'
  1. HBase
  2. HBASE-4475

When running an embedded ThriftServer, use User.runAs() to allow it to run as a separate principal from the embedding region server

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Major
    • Resolution: Not A Problem
    • None
    • None
    • security, Thrift
    • None

    Description

      As discussed over in HBASE-4460, the current approach to ThriftServer authentication (provided in HBASE-4099) will not work in an embedded context, since the region server will already does a login for the process.

      We could make the embedded thrift server still run as a separate user, though, by doing something like the following:

      • add a User.loginAndReturnUser() variant that delegates to UserGroupInformation.loginUserFromKeytabAndReturnUGI(), then returns a wrapping User instance
      • call this method on startup for the embedded thrift server to get the thrift user instance
      • use User.runAs() to execute the body of HRegionThriftServer.run() as the logged in thrift user

      Attachments

        Issue Links

          relates to

          Sub-task - The sub-task of the issue HBASE-4099 Authentication for ThriftServer clients

          • Major - Major loss of function.
          • Closed

          New Feature - A new feature of the product, which has yet to be developed. HBASE-4460 Support running an embedded ThriftServer within a RegionServer

          • Major - Major loss of function.
          • Closed

          Activity

            People

              Unassigned Unassigned
              ghelmling Gary Helmling
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: