HBase
  1. HBase
  2. HBASE-6671

Kerberos authenticated super user should be able to retrieve proxied delegation tokens

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 0.94.1
    • Fix Version/s: 0.94.2
    • Component/s: None
    • Labels:
      None
    • Hadoop Flags:
      Reviewed

      Description

      There a services such a oozie which perform actions in behalf of the user using proxy authentication. Retrieving delegation tokens should support this behavior.

      1. 6671-trunk-v2.txt
        2 kB
        Ted Yu
      2. proxy_fix_94.patch
        2 kB
        Francis Liu
      3. proxy_fix_94.patch
        3 kB
        Francis Liu
      4. proxy_fix_trunk.patch
        3 kB
        Francis Liu

        Activity

        Hide
        Francis Liu added a comment -

        Logic is culled from the namenode and jobtracker for consistency.

        Show
        Francis Liu added a comment - Logic is culled from the namenode and jobtracker for consistency.
        Hide
        Francis Liu added a comment -

        0.94 patch, includes updating the hadoop-0.23 dependency since there are binary incompatible changes. Also 0.23.3 should be released in a few weeks.

        Show
        Francis Liu added a comment - 0.94 patch, includes updating the hadoop-0.23 dependency since there are binary incompatible changes. Also 0.23.3 should be released in a few weeks.
        Hide
        Ted Yu added a comment -

        @Francis:
        Hadoop QA would pick up the latest attachment.
        In the future, please attach trunk patch last.

        Show
        Ted Yu added a comment - @Francis: Hadoop QA would pick up the latest attachment. In the future, please attach trunk patch last.
        Hide
        Francis Liu added a comment -

        Will do, thanks for the tip.

        Show
        Francis Liu added a comment - Will do, thanks for the tip.
        Hide
        Ted Yu added a comment -

        getConnectionAuthenticationMethod() is a private method, can it be inlined ?

        Minor:
        javadoc for parameters of getConnectionAuthenticationMethod() and isAllowedDelegationTokenOp() is missing.

        Show
        Ted Yu added a comment - getConnectionAuthenticationMethod() is a private method, can it be inlined ? Minor: javadoc for parameters of getConnectionAuthenticationMethod() and isAllowedDelegationTokenOp() is missing.
        Hide
        Ted Yu added a comment -

        v2 addresses the above comments.

        Show
        Ted Yu added a comment - v2 addresses the above comments.
        Hide
        Francis Liu added a comment -

        Looks good to me.

        Show
        Francis Liu added a comment - Looks good to me.
        Hide
        Hadoop QA added a comment -

        -1 overall. Here are the results of testing the latest attachment
        http://issues.apache.org/jira/secure/attachment/12542654/6671-trunk-v2.txt
        against trunk revision .

        +1 @author. The patch does not contain any @author tags.

        -1 tests included. The patch doesn't appear to include any new or modified tests.
        Please justify why no new tests are needed for this patch.
        Also please list what manual steps were performed to verify this patch.

        +1 hadoop2.0. The patch compiles against the hadoop 2.0 profile.

        -1 javadoc. The javadoc tool appears to have generated 94 warning messages.

        -1 javac. The applied patch generated 5 javac compiler warnings (more than the trunk's current 4 warnings).

        -1 findbugs. The patch appears to introduce 13 new Findbugs (version 1.3.9) warnings.

        +1 release audit. The applied patch does not increase the total number of release audit warnings.

        +1 core tests. The patch passed unit tests in .

        Test results: https://builds.apache.org/job/PreCommit-HBASE-Build/2706//testReport/
        Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/2706//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-hadoop2-compat.html
        Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/2706//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-hadoop1-compat.html
        Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/2706//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-common.html
        Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/2706//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-hadoop-compat.html
        Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/2706//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-server.html
        Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/2706//console

        This message is automatically generated.

        Show
        Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12542654/6671-trunk-v2.txt against trunk revision . +1 @author. The patch does not contain any @author tags. -1 tests included. The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. +1 hadoop2.0. The patch compiles against the hadoop 2.0 profile. -1 javadoc. The javadoc tool appears to have generated 94 warning messages. -1 javac. The applied patch generated 5 javac compiler warnings (more than the trunk's current 4 warnings). -1 findbugs. The patch appears to introduce 13 new Findbugs (version 1.3.9) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. +1 core tests. The patch passed unit tests in . Test results: https://builds.apache.org/job/PreCommit-HBASE-Build/2706//testReport/ Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/2706//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-hadoop2-compat.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/2706//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-hadoop1-compat.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/2706//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-common.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/2706//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-hadoop-compat.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/2706//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-server.html Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/2706//console This message is automatically generated.
        Hide
        Ted Yu added a comment -

        @Gary, @Andy:
        Do you have further comment about Francis' patch ?

        Show
        Ted Yu added a comment - @Gary, @Andy: Do you have further comment about Francis' patch ?
        Hide
        Andrew Purtell added a comment -

        Looks good to me. This should be applied to 0.94 too.

        Show
        Andrew Purtell added a comment - Looks good to me. This should be applied to 0.94 too.
        Hide
        Ted Yu added a comment -

        Integrated to trunk.

        @Francis:
        Can you attach patch for 0.94 ?

        Thanks

        Show
        Ted Yu added a comment - Integrated to trunk. @Francis: Can you attach patch for 0.94 ? Thanks
        Hide
        Hudson added a comment -

        Integrated in HBase-TRUNK #3289 (See https://builds.apache.org/job/HBase-TRUNK/3289/)
        HBASE-6671 Kerberos authenticated super user should be able to retrieve proxied delegation tokens (Francis) (Revision 1378142)

        Result = FAILURE
        Tedyu :
        Files :

        • /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/security/token/TokenProvider.java
        Show
        Hudson added a comment - Integrated in HBase-TRUNK #3289 (See https://builds.apache.org/job/HBase-TRUNK/3289/ ) HBASE-6671 Kerberos authenticated super user should be able to retrieve proxied delegation tokens (Francis) (Revision 1378142) Result = FAILURE Tedyu : Files : /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/security/token/TokenProvider.java
        Hide
        Francis Liu added a comment -

        updated 0.94 patch.

        Show
        Francis Liu added a comment - updated 0.94 patch.
        Hide
        Hadoop QA added a comment -

        -1 overall. Here are the results of testing the latest attachment
        http://issues.apache.org/jira/secure/attachment/12542800/proxy_fix_94.patch
        against trunk revision .

        +1 @author. The patch does not contain any @author tags.

        -1 tests included. The patch doesn't appear to include any new or modified tests.
        Please justify why no new tests are needed for this patch.
        Also please list what manual steps were performed to verify this patch.

        -1 patch. The patch command could not apply the patch.

        Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/2722//console

        This message is automatically generated.

        Show
        Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12542800/proxy_fix_94.patch against trunk revision . +1 @author. The patch does not contain any @author tags. -1 tests included. The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. -1 patch. The patch command could not apply the patch. Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/2722//console This message is automatically generated.
        Hide
        Ted Yu added a comment -

        Integrated to 0.94 as well.

        Thanks for the patch, Francis.

        Thanks for the review, Andy.

        Show
        Ted Yu added a comment - Integrated to 0.94 as well. Thanks for the patch, Francis. Thanks for the review, Andy.
        Hide
        Hudson added a comment -

        Integrated in HBase-0.94 #442 (See https://builds.apache.org/job/HBase-0.94/442/)
        HBASE-6671 Kerberos authenticated super user should be able to retrieve proxied delegation tokens (Francis) (Revision 1378268)

        Result = FAILURE
        Tedyu :
        Files :

        • /hbase/branches/0.94/pom.xml
        • /hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/token/TokenProvider.java
        Show
        Hudson added a comment - Integrated in HBase-0.94 #442 (See https://builds.apache.org/job/HBase-0.94/442/ ) HBASE-6671 Kerberos authenticated super user should be able to retrieve proxied delegation tokens (Francis) (Revision 1378268) Result = FAILURE Tedyu : Files : /hbase/branches/0.94/pom.xml /hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/token/TokenProvider.java
        Hide
        Hudson added a comment -

        Integrated in HBase-TRUNK-on-Hadoop-2.0.0 #153 (See https://builds.apache.org/job/HBase-TRUNK-on-Hadoop-2.0.0/153/)
        HBASE-6671 Kerberos authenticated super user should be able to retrieve proxied delegation tokens (Francis) (Revision 1378142)

        Result = FAILURE
        Tedyu :
        Files :

        • /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/security/token/TokenProvider.java
        Show
        Hudson added a comment - Integrated in HBase-TRUNK-on-Hadoop-2.0.0 #153 (See https://builds.apache.org/job/HBase-TRUNK-on-Hadoop-2.0.0/153/ ) HBASE-6671 Kerberos authenticated super user should be able to retrieve proxied delegation tokens (Francis) (Revision 1378142) Result = FAILURE Tedyu : Files : /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/security/token/TokenProvider.java
        Hide
        Himanshu Vashishtha added a comment -

        Sorry for chiming in late, but I want to understand what is going on here. I was reading HBase security code and the attached patch. A basic question:
        Do we support proxy users? If so, then a use Joe who is not kerberos authenticated can access hbase services by piggybacking on hbase credentials. How one can enable/use it? Please share.

        Show
        Himanshu Vashishtha added a comment - Sorry for chiming in late, but I want to understand what is going on here. I was reading HBase security code and the attached patch. A basic question: Do we support proxy users? If so, then a use Joe who is not kerberos authenticated can access hbase services by piggybacking on hbase credentials. How one can enable/use it? Please share.
        Hide
        Himanshu Vashishtha added a comment -

        EDIT:
        If so, then a user Joe who is not kerberos authenticated can access hbase services by piggybacking on hbase credentials?

        Show
        Himanshu Vashishtha added a comment - EDIT: If so, then a user Joe who is not kerberos authenticated can access hbase services by piggybacking on hbase credentials?
        Hide
        Hudson added a comment -

        Integrated in HBase-0.94-security #51 (See https://builds.apache.org/job/HBase-0.94-security/51/)
        HBASE-6671 Kerberos authenticated super user should be able to retrieve proxied delegation tokens (Francis) (Revision 1378268)

        Result = FAILURE
        Tedyu :
        Files :

        • /hbase/branches/0.94/pom.xml
        • /hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/token/TokenProvider.java
        Show
        Hudson added a comment - Integrated in HBase-0.94-security #51 (See https://builds.apache.org/job/HBase-0.94-security/51/ ) HBASE-6671 Kerberos authenticated super user should be able to retrieve proxied delegation tokens (Francis) (Revision 1378268) Result = FAILURE Tedyu : Files : /hbase/branches/0.94/pom.xml /hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/token/TokenProvider.java
        Hide
        Hudson added a comment -

        Integrated in HBase-0.94-security-on-Hadoop-23 #7 (See https://builds.apache.org/job/HBase-0.94-security-on-Hadoop-23/7/)
        HBASE-6671 Kerberos authenticated super user should be able to retrieve proxied delegation tokens (Francis) (Revision 1378268)

        Result = FAILURE
        Tedyu :
        Files :

        • /hbase/branches/0.94/pom.xml
        • /hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/token/TokenProvider.java
        Show
        Hudson added a comment - Integrated in HBase-0.94-security-on-Hadoop-23 #7 (See https://builds.apache.org/job/HBase-0.94-security-on-Hadoop-23/7/ ) HBASE-6671 Kerberos authenticated super user should be able to retrieve proxied delegation tokens (Francis) (Revision 1378268) Result = FAILURE Tedyu : Files : /hbase/branches/0.94/pom.xml /hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/token/TokenProvider.java
        Hide
        stack added a comment -

        Fix up after bulk move overwrote some 0.94.2 fix versions w/ 0.95.0 (Noticed by Lars Hofhansl)

        Show
        stack added a comment - Fix up after bulk move overwrote some 0.94.2 fix versions w/ 0.95.0 (Noticed by Lars Hofhansl)

          People

          • Assignee:
            Francis Liu
            Reporter:
            Francis Liu
          • Votes:
            0 Vote for this issue
            Watchers:
            9 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development