[jira] [Updated] (AMBARI-13897) Ambari does not configure hbase.coprocessor.regionserver.classes

Fri, 13 Nov 2015 21:38:17 -0800 

     [ 
https://issues.apache.org/jira/browse/AMBARI-13897?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jaimin D Jetly updated AMBARI-13897:
------------------------------------
    Summary: Ambari does not configure hbase.coprocessor.regionserver.classes   
(was: [Security Issue] Ambari does not configure 
hbase.coprocessor.regionserver.classes )

> Ambari does not configure hbase.coprocessor.regionserver.classes 
> -----------------------------------------------------------------
>
>                 Key: AMBARI-13897
>                 URL: https://issues.apache.org/jira/browse/AMBARI-13897
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>    Affects Versions: 2.1.0
>            Reporter: Jaimin D Jetly
>            Assignee: Jaimin D Jetly
>            Priority: Critical
>             Fix For: 2.1.3
>
>         Attachments: AMBARI-13897.patch
>
>
> In a newly installed cluster with security and ranger, I cannot find 
> {{hbase.coprocessor.regionserver.classes}} configured which is needed to 
> protect some of the direct RPC's to the regionserver (stopping regionserver 
> is an example). 
> In a proper cluster all *three* properties should be configured:  
> {code}
> <property>
>   <name>hbase.coprocessor.region.classes</name>
>   <value>org.apache.hadoop.hbase.security.token.TokenProvider, 
> org.apache.hadoop.hbase.security.access.AccessController,org.apache.hadoop.hbase.security.access.SecureBulkLoadEndpoint</value>
> </property>
> <property>
>   <name>hbase.coprocessor.master.classes</name>
>   <value>org.apache.hadoop.hbase.security.access.AccessController</value>
> </property>
> <property>
>   <name>hbase.coprocessor.regionserver.classes</name>
>   <value>org.apache.hadoop/hbase.security.access.AccessController</value>
> </property>
> {code}
> In stackadvisor, I can see that we are configuring 
> {{hbase.coprocessor.regionserver.classes}}, but somehow in a newly installed 
> cluster, I don't find the setting in hbase-site.xml. 
> There are a couple of action items from this jira: 
>  # Make sure that {{hbase.coprocessor.regionserver.classes}} is configured 
> properly for secure clusters. 
> # reading the stackadvisor code, it can be improved so that if the customer 
> has configured other coprocessors, they are not lost.  The logic for 
> {{hbase.coprocessor.regionserver.classes}} and 
> {{hbase.coprocessor.region.classes}} and {{hbase.coprocessor.master.classes}} 
> should be something like this: 
>  - get the list of co-processors and put them to a set. 
>  - If security is enabled, then add either ranger or hbase native AC 
> coprocessors to the set 
>  - Else remove the AC and ranger AC coprocessors from the list 
>  - write the configurations to hbase-site. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to