HBase
  1. HBase
  2. HBASE-9866

Support the mode where REST server authorizes proxy users

    Details

    • Type: Improvement Improvement
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 0.98.0, 0.99.0
    • Component/s: None
    • Labels:
      None
    • Release Note:
      Hide
      hbase.rest.support.proxyuser when set to true would enable enable proxy-user support in the REST server. Like any other server, e.g., NameNode, which supports proxy user mode, appropriate proxy-user configuration needs to be set as well in the REST server (hadoop.proxyuser.$user.hosts, hadoop.proxyuser.$user.groups). Requests can then be made to the REST server with a 'doAs' in the query string url and if proxy user authorization check passes, the query will be executed as the 'doAs' user.
      Show
      hbase.rest.support.proxyuser when set to true would enable enable proxy-user support in the REST server. Like any other server, e.g., NameNode, which supports proxy user mode, appropriate proxy-user configuration needs to be set as well in the REST server (hadoop.proxyuser.$user.hosts, hadoop.proxyuser.$user.groups). Requests can then be made to the REST server with a 'doAs' in the query string url and if proxy user authorization check passes, the query will be executed as the 'doAs' user.

      Description

      In one use case, someone was trying to authorize with the REST server as a proxy user. That mode is not supported today.
      The curl request would be something like (assuming SPNEGO auth) -

      curl -i --negotiate -u : http://<HOST>:<PORT>/version/cluster?doas=<USER>
      
      1. 9866-4.txt
        6 kB
        Devaraj Das
      2. 9866-4.txt
        6 kB
        Devaraj Das
      3. 9866-3.txt
        6 kB
        Devaraj Das
      4. 9866-2.txt
        6 kB
        Devaraj Das
      5. 9866-1.txt
        5 kB
        Devaraj Das

        Activity

        Hide
        Devaraj Das added a comment -

        First version of the patch.

        Show
        Devaraj Das added a comment - First version of the patch.
        Hide
        Jimmy Xiang added a comment -

        Why do we need this? REST server does support proxy users. You should use -u to specify the user, right?

        curl -i --negotiate -u <USER>/DOMAIN http://<HOST>:<PORT>/version/cluster

        Show
        Jimmy Xiang added a comment - Why do we need this? REST server does support proxy users. You should use -u to specify the user, right? curl -i --negotiate -u <USER>/DOMAIN http://<HOST>:<PORT>/version/cluster
        Hide
        Devaraj Das added a comment -

        I see. Let me check that aspect then.

        Show
        Devaraj Das added a comment - I see. Let me check that aspect then.
        Hide
        Dilli Arumugam added a comment -

        In response to Question from Jimmy

        Why do we need this? REST server does support proxy users. You should use -u to specify the user, right?
        curl -i --negotiate -u <USER>/DOMAIN http://<HOST>:<PORT>/version/cluster

        We need this for Apache Knox.
        Apache Knox provides perimeter security.
        The flow would be
        Rest Client -> Knox -> HBase Rest Gateway
        Knox authenticates its Rest client using Http Basic.
        Knox itself authenticates to HBase Rest Gateway using SPNego.
        Then, Knox proxies for the end user.
        So, HBase Rest gateway should allow Knox to pass doAs parameter with the value of end user identity.

        Show
        Dilli Arumugam added a comment - In response to Question from Jimmy Why do we need this? REST server does support proxy users. You should use -u to specify the user, right? curl -i --negotiate -u <USER>/DOMAIN http://<HOST>:<PORT>/version/cluster We need this for Apache Knox. Apache Knox provides perimeter security. The flow would be Rest Client -> Knox -> HBase Rest Gateway Knox authenticates its Rest client using Http Basic. Knox itself authenticates to HBase Rest Gateway using SPNego. Then, Knox proxies for the end user. So, HBase Rest gateway should allow Knox to pass doAs parameter with the value of end user identity.
        Hide
        Dilli Arumugam added a comment -

        In the context of curl usage
        curl -i --negotiate -u <USER>/DOMAIN http://<HOST>:<PORT>/version/cluster
        As far as I know and tested, the usage is
        curl -i --negotiate -u : http://<HOST>:<PORT>/version/cluster
        Value of option -u is ignored.
        The identity of the caller is established based on the kerberos ticket in ticket cache.
        Kerberos ticket would have been populated by a call to kinit.

        In the context of Knox usage, the caller identity established by kerberos ticket is that of "knox". Knox has to tell HBase Rest gateway that the call is made on behalf of specific end user. That end user identity has to go in as doAs query parameter value. That is how it happens for WebHDFS, Oozie and WebHCat calls from Knox.

        Show
        Dilli Arumugam added a comment - In the context of curl usage curl -i --negotiate -u <USER>/DOMAIN http://<HOST>:<PORT>/version/cluster As far as I know and tested, the usage is curl -i --negotiate -u : http://<HOST>:<PORT>/version/cluster Value of option -u is ignored. The identity of the caller is established based on the kerberos ticket in ticket cache. Kerberos ticket would have been populated by a call to kinit. In the context of Knox usage, the caller identity established by kerberos ticket is that of "knox". Knox has to tell HBase Rest gateway that the call is made on behalf of specific end user. That end user identity has to go in as doAs query parameter value. That is how it happens for WebHDFS, Oozie and WebHCat calls from Knox.
        Hide
        Jimmy Xiang added a comment -

        Makes sense.

        Show
        Jimmy Xiang added a comment - Makes sense.
        Hide
        Devaraj Das added a comment -

        Pushing through hadoopqa.

        Show
        Devaraj Das added a comment - Pushing through hadoopqa.
        Hide
        Hadoop QA added a comment -

        -1 overall. Here are the results of testing the latest attachment
        http://issues.apache.org/jira/secure/attachment/12611231/9866-1.txt
        against trunk revision .

        +1 @author. The patch does not contain any @author tags.

        -1 tests included. The patch doesn't appear to include any new or modified tests.
        Please justify why no new tests are needed for this patch.
        Also please list what manual steps were performed to verify this patch.

        +1 hadoop1.0. The patch compiles against the hadoop 1.0 profile.

        +1 hadoop2.0. The patch compiles against the hadoop 2.0 profile.

        -1 javadoc. The javadoc tool appears to have generated 1 warning messages.

        +1 javac. The applied patch does not increase the total number of javac compiler warnings.

        -1 findbugs. The patch appears to introduce 1 new Findbugs (version 1.3.9) warnings.

        +1 release audit. The applied patch does not increase the total number of release audit warnings.

        +1 lineLengths. The patch does not introduce lines longer than 100

        -1 site. The patch appears to cause mvn site goal to fail.

        +1 core tests. The patch passed unit tests in .

        Test results: https://builds.apache.org/job/PreCommit-HBASE-Build/7696//testReport/
        Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7696//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-prefix-tree.html
        Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7696//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-client.html
        Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7696//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-common.html
        Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7696//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-protocol.html
        Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7696//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-server.html
        Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7696//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-hadoop1-compat.html
        Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7696//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-examples.html
        Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7696//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-thrift.html
        Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7696//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-hadoop-compat.html
        Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/7696//console

        This message is automatically generated.

        Show
        Hadoop QA added a comment - -1 overall . Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12611231/9866-1.txt against trunk revision . +1 @author . The patch does not contain any @author tags. -1 tests included . The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. +1 hadoop1.0 . The patch compiles against the hadoop 1.0 profile. +1 hadoop2.0 . The patch compiles against the hadoop 2.0 profile. -1 javadoc . The javadoc tool appears to have generated 1 warning messages. +1 javac . The applied patch does not increase the total number of javac compiler warnings. -1 findbugs . The patch appears to introduce 1 new Findbugs (version 1.3.9) warnings. +1 release audit . The applied patch does not increase the total number of release audit warnings. +1 lineLengths . The patch does not introduce lines longer than 100 -1 site . The patch appears to cause mvn site goal to fail. +1 core tests . The patch passed unit tests in . Test results: https://builds.apache.org/job/PreCommit-HBASE-Build/7696//testReport/ Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7696//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-prefix-tree.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7696//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-client.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7696//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-common.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7696//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-protocol.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7696//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-server.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7696//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-hadoop1-compat.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7696//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-examples.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7696//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-thrift.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7696//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-hadoop-compat.html Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/7696//console This message is automatically generated.
        Hide
        Jimmy Xiang added a comment -

        + Lock lock = locker.acquireLock(effectiveUser.get().getUserName());

        Are we sure effectiveUser is always set even when SPENGO/security is not enabled?

        final String doAsUserFromQuery = request.getParameter("doas");

        Should we use parameter "doAs"?

        Can we make sure there is no javadoc/findbugs warnings?

        Another thing is that we have two proxy users. One is the user authenticated with SPENGO. The other is the real user. We switch the proxy user in the middle. Is this a security concern?

        I was wondering if Knox should talks to HBase directly as a proxy, instead of going through REST server as another level proxying?

        Francis Liu, any comments?

        Show
        Jimmy Xiang added a comment - + Lock lock = locker.acquireLock(effectiveUser.get().getUserName()); Are we sure effectiveUser is always set even when SPENGO/security is not enabled? final String doAsUserFromQuery = request.getParameter("doas"); Should we use parameter "doAs"? Can we make sure there is no javadoc/findbugs warnings? Another thing is that we have two proxy users. One is the user authenticated with SPENGO. The other is the real user. We switch the proxy user in the middle. Is this a security concern? I was wondering if Knox should talks to HBase directly as a proxy, instead of going through REST server as another level proxying? Francis Liu , any comments?
        Hide
        Dilli Arumugam added a comment -

        Knox talks only REST to Hadoop services.
        Knox unified and secure REST endpoint to its client, for all downstream REST end points of Hadoop services.

        Show
        Dilli Arumugam added a comment - Knox talks only REST to Hadoop services. Knox unified and secure REST endpoint to its client, for all downstream REST end points of Hadoop services.
        Hide
        Devaraj Das added a comment -

        Are we sure effectiveUser is always set even when SPENGO/security is not enabled?

        Yes. The constructor of RESTServlet initializes the realUser which is the initial value of effectiveUser.

        Should we use parameter "doAs"?

        I'll update this..

        Can we make sure there is no javadoc/findbugs warnings?

        Yes. I'll look at this..

        Another thing is that we have two proxy users. One is the user authenticated with SPENGO. The other is the real user. We switch the proxy user in the middle. Is this a security concern?

        We have proxy user authorization check before the switch is made.

        ProxyUsers.authorize(ugi, request.getRemoteAddr(), conf);

        . The proxy user authorization check will fail unless the user making the REST call is authorized to perform the doAs on behalf of the configured group and he is coming from a known IP address. No new security concern here ..

        Show
        Devaraj Das added a comment - Are we sure effectiveUser is always set even when SPENGO/security is not enabled? Yes. The constructor of RESTServlet initializes the realUser which is the initial value of effectiveUser. Should we use parameter "doAs"? I'll update this.. Can we make sure there is no javadoc/findbugs warnings? Yes. I'll look at this.. Another thing is that we have two proxy users. One is the user authenticated with SPENGO. The other is the real user. We switch the proxy user in the middle. Is this a security concern? We have proxy user authorization check before the switch is made. ProxyUsers.authorize(ugi, request.getRemoteAddr(), conf); . The proxy user authorization check will fail unless the user making the REST call is authorized to perform the doAs on behalf of the configured group and he is coming from a known IP address. No new security concern here ..
        Hide
        Jimmy Xiang added a comment -

        I saw that. It is something like user A is allowed to do something on behalf of user B, now let user C to do it on behalf of user B instead, if allowed. If A == C and they share the same configuration, it may be fine. Now, A could be different from C. Even they are the same, the configuration could be different since one is the REST server (i,e, HBase client side), the other is on the HBase server (master/rs) side.

        Show
        Jimmy Xiang added a comment - I saw that. It is something like user A is allowed to do something on behalf of user B, now let user C to do it on behalf of user B instead, if allowed. If A == C and they share the same configuration, it may be fine. Now, A could be different from C. Even they are the same, the configuration could be different since one is the REST server (i,e, HBase client side), the other is on the HBase server (master/rs) side.
        Hide
        Devaraj Das added a comment -

        Definitely, we need to be careful about configuring things with the potential security holes in mind. Also, one can choose to disable this by not configuring the proxy user settings for the REST server. Right?

        Show
        Devaraj Das added a comment - Definitely, we need to be careful about configuring things with the potential security holes in mind. Also, one can choose to disable this by not configuring the proxy user settings for the REST server. Right?
        Hide
        Francis Liu added a comment -

        This will make auditing a bit hard since the real user is lost when it hits the RS. Can we log a doAs message so we can trace back?

        Given that we're adding doAs support in reset. It's prolly a good idea to provide a way to refresh the ProxyUsers config without restarting the server.

        BTW do the other webservices support doAs (hdfs's proxy, webhcat, etc)?

        Show
        Francis Liu added a comment - This will make auditing a bit hard since the real user is lost when it hits the RS. Can we log a doAs message so we can trace back? Given that we're adding doAs support in reset. It's prolly a good idea to provide a way to refresh the ProxyUsers config without restarting the server. BTW do the other webservices support doAs (hdfs's proxy, webhcat, etc)?
        Hide
        Jimmy Xiang added a comment -

        In case the REST server shares the same configuration with rs/master, can we have a config and turn this feature off by default?

        Show
        Jimmy Xiang added a comment - In case the REST server shares the same configuration with rs/master, can we have a config and turn this feature off by default?
        Hide
        Devaraj Das added a comment -

        Francis Liu, yes, services like webhcat supports doAs, but they have different config knobs for configuring the groups/ip-addresses. Maybe they map these configurations to the underlying Hadoop configurations internally.

        Jimmy Xiang, okay will add a configuration for turning this feature on/off...

        Show
        Devaraj Das added a comment - Francis Liu , yes, services like webhcat supports doAs, but they have different config knobs for configuring the groups/ip-addresses. Maybe they map these configurations to the underlying Hadoop configurations internally. Jimmy Xiang , okay will add a configuration for turning this feature on/off...
        Hide
        Andrew Purtell added a comment -

        Based on comments, patch is stale, cancelling it.

        Show
        Andrew Purtell added a comment - Based on comments, patch is stale, cancelling it.
        Hide
        Devaraj Das added a comment -

        Patch with the support for proxy-user configurable.

        Show
        Devaraj Das added a comment - Patch with the support for proxy-user configurable.
        Hide
        Devaraj Das added a comment -

        The right patch..

        Show
        Devaraj Das added a comment - The right patch..
        Hide
        Jimmy Xiang added a comment -

        Can we 1. change doas to doAs to be aligned with other Hadoop components, 2, use the configuration in RESTServlet instance instead of the servlet context, 3, throw an exception if the feature is disabled while someone passed in doAs parameter to avoid confusing? Thanks.

        Show
        Jimmy Xiang added a comment - Can we 1. change doas to doAs to be aligned with other Hadoop components, 2, use the configuration in RESTServlet instance instead of the servlet context, 3, throw an exception if the feature is disabled while someone passed in doAs parameter to avoid confusing? Thanks.
        Hide
        Devaraj Das added a comment -

        Thanks for the feedback (and sorry for missing out on those points in my previous patch - meant to). Fixed patch attached.

        Show
        Devaraj Das added a comment - Thanks for the feedback (and sorry for missing out on those points in my previous patch - meant to). Fixed patch attached.
        Hide
        Jimmy Xiang added a comment -

        Just one minor issue.

        +    if (!proxyConfigured) {
        

        should be

        +    if (doAsUserFromQuery != null && !proxyConfigured) {
        

        Other than that, it is fine with me. Not sure if Andrew Purtell, or Francis Liu have any comments.

        Show
        Jimmy Xiang added a comment - Just one minor issue. + if (!proxyConfigured) { should be + if (doAsUserFromQuery != null && !proxyConfigured) { Other than that, it is fine with me. Not sure if Andrew Purtell , or Francis Liu have any comments.
        Hide
        Devaraj Das added a comment -

        Thanks for the catch, Jimmy Xiang. Fixed it.

        Andrew Purtell, Francis Liu, any comments?

        Show
        Devaraj Das added a comment - Thanks for the catch, Jimmy Xiang . Fixed it. Andrew Purtell , Francis Liu , any comments?
        Hide
        Hadoop QA added a comment -

        -1 overall. Here are the results of testing the latest attachment
        http://issues.apache.org/jira/secure/attachment/12613238/9866-2.txt
        against trunk revision .

        +1 @author. The patch does not contain any @author tags.

        -1 tests included. The patch doesn't appear to include any new or modified tests.
        Please justify why no new tests are needed for this patch.
        Also please list what manual steps were performed to verify this patch.

        +1 hadoop1.0. The patch compiles against the hadoop 1.0 profile.

        +1 hadoop2.0. The patch compiles against the hadoop 2.0 profile.

        -1 javadoc. The javadoc tool appears to have generated 1 warning messages.

        +1 javac. The applied patch does not increase the total number of javac compiler warnings.

        +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

        +1 release audit. The applied patch does not increase the total number of release audit warnings.

        +1 lineLengths. The patch does not introduce lines longer than 100

        -1 site. The patch appears to cause mvn site goal to fail.

        -1 core tests. The patch failed these unit tests:

        -1 core zombie tests. There are 1 zombie test(s): at org.apache.hadoop.hbase.TestZooKeeper.testRegionAssignmentAfterMasterRecoveryDueToZKExpiry(TestZooKeeper.java:488)

        Test results: https://builds.apache.org/job/PreCommit-HBASE-Build/7816//testReport/
        Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7816//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-prefix-tree.html
        Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7816//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-client.html
        Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7816//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-common.html
        Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7816//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-protocol.html
        Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7816//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-server.html
        Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7816//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-hadoop1-compat.html
        Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7816//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-examples.html
        Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7816//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-thrift.html
        Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7816//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-hadoop-compat.html
        Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/7816//console

        This message is automatically generated.

        Show
        Hadoop QA added a comment - -1 overall . Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12613238/9866-2.txt against trunk revision . +1 @author . The patch does not contain any @author tags. -1 tests included . The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. +1 hadoop1.0 . The patch compiles against the hadoop 1.0 profile. +1 hadoop2.0 . The patch compiles against the hadoop 2.0 profile. -1 javadoc . The javadoc tool appears to have generated 1 warning messages. +1 javac . The applied patch does not increase the total number of javac compiler warnings. +1 findbugs . The patch does not introduce any new Findbugs (version 1.3.9) warnings. +1 release audit . The applied patch does not increase the total number of release audit warnings. +1 lineLengths . The patch does not introduce lines longer than 100 -1 site . The patch appears to cause mvn site goal to fail. -1 core tests . The patch failed these unit tests: -1 core zombie tests . There are 1 zombie test(s): at org.apache.hadoop.hbase.TestZooKeeper.testRegionAssignmentAfterMasterRecoveryDueToZKExpiry(TestZooKeeper.java:488) Test results: https://builds.apache.org/job/PreCommit-HBASE-Build/7816//testReport/ Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7816//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-prefix-tree.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7816//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-client.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7816//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-common.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7816//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-protocol.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7816//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-server.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7816//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-hadoop1-compat.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7816//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-examples.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7816//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-thrift.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7816//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-hadoop-compat.html Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/7816//console This message is automatically generated.
        Hide
        Devaraj Das added a comment -

        Ping... Any comments. Good to commit?

        Show
        Devaraj Das added a comment - Ping... Any comments. Good to commit?
        Hide
        Andrew Purtell added a comment -

        The general idea is fine, but I don't have time to look at this in detail. Reading briefly above looks like Jimmy Xiang provided review, ping him?

        Show
        Andrew Purtell added a comment - The general idea is fine, but I don't have time to look at this in detail. Reading briefly above looks like Jimmy Xiang provided review, ping him?
        Hide
        Jimmy Xiang added a comment -

        I am fine with the change. If we are ok with the general idea, +1 then.

        Show
        Jimmy Xiang added a comment - I am fine with the change. If we are ok with the general idea, +1 then.
        Hide
        Devaraj Das added a comment -

        Thanks, folks. Andrew, would you be okay with this committed to 0.98?

        Show
        Devaraj Das added a comment - Thanks, folks. Andrew, would you be okay with this committed to 0.98?
        Hide
        Andrew Purtell added a comment -

        Andrew, would you be okay with this committed to 0.98?

        +1

        Show
        Andrew Purtell added a comment - Andrew, would you be okay with this committed to 0.98? +1
        Hide
        Devaraj Das added a comment -

        Reattaching the last patch for hadoopqa.

        Show
        Devaraj Das added a comment - Reattaching the last patch for hadoopqa.
        Hide
        Hadoop QA added a comment -

        -1 overall. Here are the results of testing the latest attachment
        http://issues.apache.org/jira/secure/attachment/12619504/9866-4.txt
        against trunk revision .
        ATTACHMENT ID: 12619504

        +1 @author. The patch does not contain any @author tags.

        -1 tests included. The patch doesn't appear to include any new or modified tests.
        Please justify why no new tests are needed for this patch.
        Also please list what manual steps were performed to verify this patch.

        +1 hadoop1.0. The patch compiles against the hadoop 1.0 profile.

        +1 hadoop1.1. The patch compiles against the hadoop 1.1 profile.

        +1 javadoc. The javadoc tool did not generate any warning messages.

        +1 javac. The applied patch does not increase the total number of javac compiler warnings.

        +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings.

        +1 release audit. The applied patch does not increase the total number of release audit warnings.

        +1 lineLengths. The patch does not introduce lines longer than 100

        -1 site. The patch appears to cause mvn site goal to fail.

        -1 core tests. The patch failed these unit tests:
        org.apache.hadoop.hbase.regionserver.TestSplitTransaction

        Test results: https://builds.apache.org/job/PreCommit-HBASE-Build/8229//testReport/
        Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/8229//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-hadoop2-compat.html
        Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/8229//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-prefix-tree.html
        Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/8229//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-client.html
        Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/8229//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-common.html
        Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/8229//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-protocol.html
        Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/8229//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-server.html
        Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/8229//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-examples.html
        Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/8229//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-thrift.html
        Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/8229//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-hadoop-compat.html
        Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/8229//console

        This message is automatically generated.

        Show
        Hadoop QA added a comment - -1 overall . Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12619504/9866-4.txt against trunk revision . ATTACHMENT ID: 12619504 +1 @author . The patch does not contain any @author tags. -1 tests included . The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. +1 hadoop1.0 . The patch compiles against the hadoop 1.0 profile. +1 hadoop1.1 . The patch compiles against the hadoop 1.1 profile. +1 javadoc . The javadoc tool did not generate any warning messages. +1 javac . The applied patch does not increase the total number of javac compiler warnings. +1 findbugs . The patch does not introduce any new Findbugs (version 1.3.9) warnings. +1 release audit . The applied patch does not increase the total number of release audit warnings. +1 lineLengths . The patch does not introduce lines longer than 100 -1 site . The patch appears to cause mvn site goal to fail. -1 core tests . The patch failed these unit tests: org.apache.hadoop.hbase.regionserver.TestSplitTransaction Test results: https://builds.apache.org/job/PreCommit-HBASE-Build/8229//testReport/ Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/8229//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-hadoop2-compat.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/8229//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-prefix-tree.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/8229//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-client.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/8229//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-common.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/8229//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-protocol.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/8229//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-server.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/8229//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-examples.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/8229//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-thrift.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/8229//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-hadoop-compat.html Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/8229//console This message is automatically generated.
        Hide
        Devaraj Das added a comment -

        Committed.

        Show
        Devaraj Das added a comment - Committed.
        Hide
        Hudson added a comment -

        SUCCESS: Integrated in HBase-TRUNK #4739 (See https://builds.apache.org/job/HBase-TRUNK/4739/)
        HBASE-9866. Support the mode where REST server authorizes proxy users (ddas: rev 1552385)

        • /hbase/trunk/hbase-common/src/main/resources/hbase-default.xml
        • /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/rest/RESTServlet.java
        • /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/rest/RESTServletContainer.java
        Show
        Hudson added a comment - SUCCESS: Integrated in HBase-TRUNK #4739 (See https://builds.apache.org/job/HBase-TRUNK/4739/ ) HBASE-9866 . Support the mode where REST server authorizes proxy users (ddas: rev 1552385) /hbase/trunk/hbase-common/src/main/resources/hbase-default.xml /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/rest/RESTServlet.java /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/rest/RESTServletContainer.java
        Hide
        Hudson added a comment -

        FAILURE: Integrated in HBase-0.98 #24 (See https://builds.apache.org/job/HBase-0.98/24/)
        HBASE-9866. Support the mode where REST server authorizes proxy users (ddas: rev 1552386)

        • /hbase/branches/0.98/hbase-common/src/main/resources/hbase-default.xml
        • /hbase/branches/0.98/hbase-server/src/main/java/org/apache/hadoop/hbase/rest/RESTServlet.java
        • /hbase/branches/0.98/hbase-server/src/main/java/org/apache/hadoop/hbase/rest/RESTServletContainer.java
        Show
        Hudson added a comment - FAILURE: Integrated in HBase-0.98 #24 (See https://builds.apache.org/job/HBase-0.98/24/ ) HBASE-9866 . Support the mode where REST server authorizes proxy users (ddas: rev 1552386) /hbase/branches/0.98/hbase-common/src/main/resources/hbase-default.xml /hbase/branches/0.98/hbase-server/src/main/java/org/apache/hadoop/hbase/rest/RESTServlet.java /hbase/branches/0.98/hbase-server/src/main/java/org/apache/hadoop/hbase/rest/RESTServletContainer.java
        Hide
        Hudson added a comment -

        FAILURE: Integrated in HBase-0.98-on-Hadoop-1.1 #22 (See https://builds.apache.org/job/HBase-0.98-on-Hadoop-1.1/22/)
        HBASE-9866. Support the mode where REST server authorizes proxy users (ddas: rev 1552386)

        • /hbase/branches/0.98/hbase-common/src/main/resources/hbase-default.xml
        • /hbase/branches/0.98/hbase-server/src/main/java/org/apache/hadoop/hbase/rest/RESTServlet.java
        • /hbase/branches/0.98/hbase-server/src/main/java/org/apache/hadoop/hbase/rest/RESTServletContainer.java
        Show
        Hudson added a comment - FAILURE: Integrated in HBase-0.98-on-Hadoop-1.1 #22 (See https://builds.apache.org/job/HBase-0.98-on-Hadoop-1.1/22/ ) HBASE-9866 . Support the mode where REST server authorizes proxy users (ddas: rev 1552386) /hbase/branches/0.98/hbase-common/src/main/resources/hbase-default.xml /hbase/branches/0.98/hbase-server/src/main/java/org/apache/hadoop/hbase/rest/RESTServlet.java /hbase/branches/0.98/hbase-server/src/main/java/org/apache/hadoop/hbase/rest/RESTServletContainer.java
        Hide
        Hudson added a comment -

        SUCCESS: Integrated in HBase-TRUNK-on-Hadoop-1.1 #13 (See https://builds.apache.org/job/HBase-TRUNK-on-Hadoop-1.1/13/)
        HBASE-9866. Support the mode where REST server authorizes proxy users (ddas: rev 1552385)

        • /hbase/trunk/hbase-common/src/main/resources/hbase-default.xml
        • /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/rest/RESTServlet.java
        • /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/rest/RESTServletContainer.java
        Show
        Hudson added a comment - SUCCESS: Integrated in HBase-TRUNK-on-Hadoop-1.1 #13 (See https://builds.apache.org/job/HBase-TRUNK-on-Hadoop-1.1/13/ ) HBASE-9866 . Support the mode where REST server authorizes proxy users (ddas: rev 1552385) /hbase/trunk/hbase-common/src/main/resources/hbase-default.xml /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/rest/RESTServlet.java /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/rest/RESTServletContainer.java

          People

          • Assignee:
            Devaraj Das
            Reporter:
            Devaraj Das
          • Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development