Uploaded image for project: 'Oozie'
  1. Oozie
  2. OOZIE-2419

HBase credentials are not correctly proxied

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 4.2.0
    • 4.3.0
    • None
    • None

    Description

      The method we are using for obtaining tokens from HBase in HbaseCredentials.java does not appear to be proxying correctly. It obtains a token for the Oozie server user instead of the proxied user, causing a problem inside workflow actions that reference it.

      Here's a demonstration (the first method is how Oozie does it today, and the second method is a more manual one which works correctly instead):

      import org.apache.hadoop.hbase.HBaseConfiguration;
import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.hbase.security.token.AuthenticationTokenIdentifier;
import org.apache.hadoop.hbase.security.token.TokenUtil;
import org.apache.hadoop.mapred.JobConf;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.security.token.TokenIdentifier;

import java.security.PrivilegedAction;
import java.security.PrivilegedExceptionAction;

public class Main {
    public static void main(String[] args) throws Exception {
        String user = "harsh";

        UserGroupInformation ugi =  UserGroupInformation.createProxyUser(user, UserGroupInformation.getLoginUser());
        User u = User.create(ugi);

        JobConf conf = new JobConf(HBaseConfiguration.create());
        u.obtainAuthTokenForJob(conf);
        for (Token<? extends TokenIdentifier> token : conf.getCredentials().getAllTokens()) {
            System.out.println(token.getKind());
            System.out.println(token.decodeIdentifier().getUser());
        }

        System.out.println();

        final JobConf conf2 = new JobConf(HBaseConfiguration.create());
        Token<AuthenticationTokenIdentifier> token = u.runAs(new PrivilegedExceptionAction<Token<AuthenticationTokenIdentifier>>() {
            public Token<AuthenticationTokenIdentifier> run() throws Exception {
                return TokenUtil.obtainToken(conf2);
            }
        });
        conf2.getCredentials().addToken(token.getService(), token);
        for (Token<? extends TokenIdentifier> token2 : conf2.getCredentials().getAllTokens()) {
            System.out.println(token2.getKind());
            System.out.println(token2.decodeIdentifier().getUser());
        }
    }
}

// kinit -kt oozie.keytab oozie/$(hostname -f)
// javac -cp $(hbase classpath) Main.java
// java -cp $PWD:$(hbase classpath) Main

      This prints:

      HBASE_AUTH_TOKEN
oozie@EXAMPLE.COM (auth:SIMPLE)

HBASE_AUTH_TOKEN
harsh (auth:SIMPLE)

      The first token is identified as the server user, vs. the required proxied user string.

      Attachments

        1. OOZIE-2419.002.patch
          3 kB
          Harsh J
        2. OOZIE-2419.001.patch
          2 kB
          Harsh J

        Activity

          People

            qwertymaniac Harsh J
            qwertymaniac Harsh J
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: