Uploaded image for project: 'Oozie'
  1. Oozie
  2. OOZIE-2419

HBase credentials are not correctly proxied

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 4.2.0
    • Fix Version/s: 4.3.0
    • Component/s: None
    • Labels:
      None

      Description

      The method we are using for obtaining tokens from HBase in HbaseCredentials.java does not appear to be proxying correctly. It obtains a token for the Oozie server user instead of the proxied user, causing a problem inside workflow actions that reference it.

      Here's a demonstration (the first method is how Oozie does it today, and the second method is a more manual one which works correctly instead):

      import org.apache.hadoop.hbase.HBaseConfiguration;
      import org.apache.hadoop.hbase.security.User;
      import org.apache.hadoop.hbase.security.token.AuthenticationTokenIdentifier;
      import org.apache.hadoop.hbase.security.token.TokenUtil;
      import org.apache.hadoop.mapred.JobConf;
      import org.apache.hadoop.security.UserGroupInformation;
      import org.apache.hadoop.security.token.Token;
      import org.apache.hadoop.security.token.TokenIdentifier;
      
      import java.security.PrivilegedAction;
      import java.security.PrivilegedExceptionAction;
      
      public class Main {
          public static void main(String[] args) throws Exception {
              String user = "harsh";
      
              UserGroupInformation ugi =  UserGroupInformation.createProxyUser(user, UserGroupInformation.getLoginUser());
              User u = User.create(ugi);
      
              JobConf conf = new JobConf(HBaseConfiguration.create());
              u.obtainAuthTokenForJob(conf);
              for (Token<? extends TokenIdentifier> token : conf.getCredentials().getAllTokens()) {
                  System.out.println(token.getKind());
                  System.out.println(token.decodeIdentifier().getUser());
              }
      
              System.out.println();
      
              final JobConf conf2 = new JobConf(HBaseConfiguration.create());
              Token<AuthenticationTokenIdentifier> token = u.runAs(new PrivilegedExceptionAction<Token<AuthenticationTokenIdentifier>>() {
                  public Token<AuthenticationTokenIdentifier> run() throws Exception {
                      return TokenUtil.obtainToken(conf2);
                  }
              });
              conf2.getCredentials().addToken(token.getService(), token);
              for (Token<? extends TokenIdentifier> token2 : conf2.getCredentials().getAllTokens()) {
                  System.out.println(token2.getKind());
                  System.out.println(token2.decodeIdentifier().getUser());
              }
          }
      }
      
      // kinit -kt oozie.keytab oozie/$(hostname -f)
      // javac -cp $(hbase classpath) Main.java
      // java -cp $PWD:$(hbase classpath) Main
      

      This prints:

      HBASE_AUTH_TOKEN
      oozie@EXAMPLE.COM (auth:SIMPLE)
      
      HBASE_AUTH_TOKEN
      harsh (auth:SIMPLE)
      

      The first token is identified as the server user, vs. the required proxied user string.

        Attachments

        1. OOZIE-2419.001.patch
          2 kB
          Harsh J
        2. OOZIE-2419.002.patch
          3 kB
          Harsh J

          Activity

            People

            • Assignee:
              qwertymaniac Harsh J
              Reporter:
              qwertymaniac Harsh J
            • Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: