[
https://issues.apache.org/jira/browse/AMBARI-13897?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jaimin D Jetly updated AMBARI-13897:
------------------------------------
Description:
In a newly installed cluster with security and ranger, I cannot find
{{hbase.coprocessor.regionserver.classes}} configured which is needed to
protect some of the direct RPC's to the regionserver (stopping regionserver is
an example).
In a proper cluster all *three* properties should be configured:
{code}
<property>
<name>hbase.coprocessor.region.classes</name>
<value>org.apache.hadoop.hbase.security.token.TokenProvider,
org.apache.hadoop.hbase.security.access.AccessController,org.apache.hadoop.hbase.security.access.SecureBulkLoadEndpoint</value>
</property>
<property>
<name>hbase.coprocessor.master.classes</name>
<value>org.apache.hadoop.hbase.security.access.AccessController</value>
</property>
<property>
<name>hbase.coprocessor.regionserver.classes</name>
<value>org.apache.hadoop/hbase.security.access.AccessController</value>
</property>
{code}
In stackadvisor, I can see that we are configuring
{{hbase.coprocessor.regionserver.classes}}, but somehow in a newly installed
cluster, I don't find the setting in hbase-site.xml.
There are a couple of action items from this jira:
# Make sure that {{hbase.coprocessor.regionserver.classes}} is configured
properly for secure clusters.
# reading the stackadvisor code, it can be improved so that if the customer has
configured other coprocessors, they are not lost. The logic for
{{hbase.coprocessor.regionserver.classes}} and
{{hbase.coprocessor.region.classes}} and {{hbase.coprocessor.master.classes}}
should be something like this:
- get the list of co-processors and put them to a set.
- If security is enabled, then add either ranger or hbase native AC
coprocessors to the set
- Else remove the AC and ranger AC coprocessors from the list
- write the configurations to hbase-site.
> [Security Issue] Ambari does not configure
> hbase.coprocessor.regionserver.classes
> ----------------------------------------------------------------------------------
>
> Key: AMBARI-13897
> URL: https://issues.apache.org/jira/browse/AMBARI-13897
> Project: Ambari
> Issue Type: Bug
> Components: ambari-server
> Affects Versions: 2.1.0
> Reporter: Jaimin D Jetly
> Assignee: Jaimin D Jetly
> Priority: Critical
> Fix For: 2.1.3
>
> Attachments: AMBARI-13897.patch
>
>
> In a newly installed cluster with security and ranger, I cannot find
> {{hbase.coprocessor.regionserver.classes}} configured which is needed to
> protect some of the direct RPC's to the regionserver (stopping regionserver
> is an example).
> In a proper cluster all *three* properties should be configured:
> {code}
> <property>
> <name>hbase.coprocessor.region.classes</name>
> <value>org.apache.hadoop.hbase.security.token.TokenProvider,
> org.apache.hadoop.hbase.security.access.AccessController,org.apache.hadoop.hbase.security.access.SecureBulkLoadEndpoint</value>
> </property>
> <property>
> <name>hbase.coprocessor.master.classes</name>
> <value>org.apache.hadoop.hbase.security.access.AccessController</value>
> </property>
> <property>
> <name>hbase.coprocessor.regionserver.classes</name>
> <value>org.apache.hadoop/hbase.security.access.AccessController</value>
> </property>
> {code}
> In stackadvisor, I can see that we are configuring
> {{hbase.coprocessor.regionserver.classes}}, but somehow in a newly installed
> cluster, I don't find the setting in hbase-site.xml.
> There are a couple of action items from this jira:
> # Make sure that {{hbase.coprocessor.regionserver.classes}} is configured
> properly for secure clusters.
> # reading the stackadvisor code, it can be improved so that if the customer
> has configured other coprocessors, they are not lost. The logic for
> {{hbase.coprocessor.regionserver.classes}} and
> {{hbase.coprocessor.region.classes}} and {{hbase.coprocessor.master.classes}}
> should be something like this:
> - get the list of co-processors and put them to a set.
> - If security is enabled, then add either ranger or hbase native AC
> coprocessors to the set
> - Else remove the AC and ranger AC coprocessors from the list
> - write the configurations to hbase-site.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
