Review Request 40319: Ambari does not configure hbase.coprocessor.regionserver.classes

Fri, 13 Nov 2015 21:39:54 -0800 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/40319/
-----------------------------------------------------------

Review request for Ambari, Sumit Mohanty and Srimanth Gunturi.


Bugs: AMBARI-13897
    https://issues.apache.org/jira/browse/AMBARI-13897


Repository: ambari


Description
-------

In a newly installed cluster with security and ranger, I cannot find 
{{hbase.coprocessor.regionserver.classes}} configured which is needed to 
protect some of the direct RPC's to the regionserver (stopping regionserver is 
an example). 

In a proper cluster all *three* properties should be configured:  
{code}
<property>
  <name>hbase.coprocessor.region.classes</name>
  <value>org.apache.hadoop.hbase.security.token.TokenProvider, 
org.apache.hadoop.hbase.security.access.AccessController,org.apache.hadoop.hbase.security.access.SecureBulkLoadEndpoint</value>
</property>
<property>
  <name>hbase.coprocessor.master.classes</name>
  <value>org.apache.hadoop.hbase.security.access.AccessController</value>
</property>
<property>
  <name>hbase.coprocessor.regionserver.classes</name>
  <value>org.apache.hadoop/hbase.security.access.AccessController</value>
</property>
{code}

In stackadvisor, I can see that we are configuring 
{{hbase.coprocessor.regionserver.classes}}, but somehow in a newly installed 
cluster, I don't find the setting in hbase-site.xml. 

There are a couple of action items from this jira: 
 # Make sure that {{hbase.coprocessor.regionserver.classes}} is configured 
properly for secure clusters. 
# reading the stackadvisor code, it can be improved so that if the customer has 
configured other coprocessors, they are not lost.  The logic for 
{{hbase.coprocessor.regionserver.classes}} and 
{{hbase.coprocessor.region.classes}} and {{hbase.coprocessor.master.classes}} 
should be something like this: 
 - get the list of co-processors and put them to a set. 
 - If security is enabled, then add either ranger or hbase native AC 
coprocessors to the set 
 - Else remove the AC and ranger AC coprocessors from the list 
 - write the configurations to hbase-site.


Diffs
-----

  
ambari-server/src/main/resources/common-services/HBASE/0.96.0.2.0/kerberos.json 
1de417f 
  
ambari-server/src/main/resources/common-services/HBASE/0.96.0.2.0/package/scripts/params_linux.py
 bab2cc5 
  ambari-server/src/main/resources/stacks/HDP/2.2/services/stack_advisor.py 
6645083 
  ambari-server/src/test/python/stacks/2.2/common/test_stack_advisor.py d3d2c3a 
  ambari-server/src/test/python/stacks/2.3/common/test_stack_advisor.py 4db688c 

Diff: https://reviews.apache.org/r/40319/diff/


Testing
-------

Jaimin D Jetly added a comment - 4 minutes ago
Tested the patch manually on a cluster.
Verified that all python unit tests passes with the patch:
----------------------------------------------------------------------
Ran 238 tests in 6.872s
OK
----------------------------------------------------------------------
Total run:832
Total errors:0
Total failures:0
OK


Thanks,

Jaimin Jetly

Reply via email to