Logic is culled from the namenode and jobtracker for consistency.

0.94 patch, includes updating the hadoop-0.23 dependency since there are binary incompatible changes. Also 0.23.3 should be released in a few weeks.

@Francis:
Hadoop QA would pick up the latest attachment.
In the future, please attach trunk patch last.

Will do, thanks for the tip.

getConnectionAuthenticationMethod() is a private method, can it be inlined ?

Minor:
javadoc for parameters of getConnectionAuthenticationMethod() and isAllowedDelegationTokenOp() is missing.

v2 addresses the above comments.

Looks good to me.

-1 overall. Here are the results of testing the latest attachment
http://issues.apache.org/jira/secure/attachment/12542654/6671-trunk-v2.txt
against trunk revision .

+1 @author. The patch does not contain any @author tags.

-1 tests included. The patch doesn't appear to include any new or modified tests.
Please justify why no new tests are needed for this patch.
Also please list what manual steps were performed to verify this patch.

+1 hadoop2.0. The patch compiles against the hadoop 2.0 profile.

-1 javadoc. The javadoc tool appears to have generated 94 warning messages.

-1 javac. The applied patch generated 5 javac compiler warnings (more than the trunk's current 4 warnings).

-1 findbugs. The patch appears to introduce 13 new Findbugs (version 1.3.9) warnings.

+1 release audit. The applied patch does not increase the total number of release audit warnings.

+1 core tests. The patch passed unit tests in .

Test results: https://builds.apache.org/job/PreCommit-HBASE-Build/2706//testReport/
Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/2706//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-hadoop2-compat.html
Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/2706//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-hadoop1-compat.html
Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/2706//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-common.html
Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/2706//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-hadoop-compat.html
Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/2706//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-server.html
Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/2706//console

This message is automatically generated.

@Gary, @Andy:
Do you have further comment about Francis' patch ?

Looks good to me. This should be applied to 0.94 too.

Integrated to trunk.

@Francis:
Can you attach patch for 0.94 ?

Thanks

Integrated in HBase-TRUNK #3289 (See https://builds.apache.org/job/HBase-TRUNK/3289/)
HBASE-6671 Kerberos authenticated super user should be able to retrieve proxied delegation tokens (Francis) (Revision 1378142)

Result = FAILURE
Tedyu :
Files :

• /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/security/token/TokenProvider.java

updated 0.94 patch.

-1 overall. Here are the results of testing the latest attachment
http://issues.apache.org/jira/secure/attachment/12542800/proxy_fix_94.patch
against trunk revision .

+1 @author. The patch does not contain any @author tags.

-1 tests included. The patch doesn't appear to include any new or modified tests.
Please justify why no new tests are needed for this patch.
Also please list what manual steps were performed to verify this patch.

-1 patch. The patch command could not apply the patch.

Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/2722//console

This message is automatically generated.

Integrated to 0.94 as well.

Thanks for the patch, Francis.

Thanks for the review, Andy.

Integrated in HBase-0.94 #442 (See https://builds.apache.org/job/HBase-0.94/442/)
HBASE-6671 Kerberos authenticated super user should be able to retrieve proxied delegation tokens (Francis) (Revision 1378268)

Result = FAILURE
Tedyu :
Files :

• /hbase/branches/0.94/pom.xml
• /hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/token/TokenProvider.java

Integrated in HBase-TRUNK-on-Hadoop-2.0.0 #153 (See https://builds.apache.org/job/HBase-TRUNK-on-Hadoop-2.0.0/153/)
HBASE-6671 Kerberos authenticated super user should be able to retrieve proxied delegation tokens (Francis) (Revision 1378142)

Result = FAILURE
Tedyu :
Files :

• /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/security/token/TokenProvider.java

Sorry for chiming in late, but I want to understand what is going on here. I was reading HBase security code and the attached patch. A basic question:
Do we support proxy users? If so, then a use Joe who is not kerberos authenticated can access hbase services by piggybacking on hbase credentials. How one can enable/use it? Please share.

EDIT:
If so, then a user Joe who is not kerberos authenticated can access hbase services by piggybacking on hbase credentials?

Integrated in HBase-0.94-security #51 (See https://builds.apache.org/job/HBase-0.94-security/51/)
HBASE-6671 Kerberos authenticated super user should be able to retrieve proxied delegation tokens (Francis) (Revision 1378268)

Result = FAILURE
Tedyu :
Files :

• /hbase/branches/0.94/pom.xml
• /hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/token/TokenProvider.java

Integrated in HBase-0.94-security-on-Hadoop-23 #7 (See https://builds.apache.org/job/HBase-0.94-security-on-Hadoop-23/7/)
HBASE-6671 Kerberos authenticated super user should be able to retrieve proxied delegation tokens (Francis) (Revision 1378268)

Result = FAILURE
Tedyu :
Files :

• /hbase/branches/0.94/pom.xml
• /hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/token/TokenProvider.java

Fix up after bulk move overwrote some 0.94.2 fix versions w/ 0.95.0 (Noticed by Lars Hofhansl)