----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/40319/#review106543 -----------------------------------------------------------
Ship it! Ship It! - Sumit Mohanty On Nov. 14, 2015, 5:39 a.m., Jaimin Jetly wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/40319/ > ----------------------------------------------------------- > > (Updated Nov. 14, 2015, 5:39 a.m.) > > > Review request for Ambari, Sumit Mohanty and Srimanth Gunturi. > > > Bugs: AMBARI-13897 > https://issues.apache.org/jira/browse/AMBARI-13897 > > > Repository: ambari > > > Description > ------- > > In a newly installed cluster with security and ranger, I cannot find > {{hbase.coprocessor.regionserver.classes}} configured which is needed to > protect some of the direct RPC's to the regionserver (stopping regionserver > is an example). > > In a proper cluster all *three* properties should be configured: > {code} > <property> > <name>hbase.coprocessor.region.classes</name> > <value>org.apache.hadoop.hbase.security.token.TokenProvider, > org.apache.hadoop.hbase.security.access.AccessController,org.apache.hadoop.hbase.security.access.SecureBulkLoadEndpoint</value> > </property> > <property> > <name>hbase.coprocessor.master.classes</name> > <value>org.apache.hadoop.hbase.security.access.AccessController</value> > </property> > <property> > <name>hbase.coprocessor.regionserver.classes</name> > <value>org.apache.hadoop/hbase.security.access.AccessController</value> > </property> > {code} > > In stackadvisor, I can see that we are configuring > {{hbase.coprocessor.regionserver.classes}}, but somehow in a newly installed > cluster, I don't find the setting in hbase-site.xml. > > There are a couple of action items from this jira: > # Make sure that {{hbase.coprocessor.regionserver.classes}} is configured > properly for secure clusters. > # reading the stackadvisor code, it can be improved so that if the customer > has configured other coprocessors, they are not lost. The logic for > {{hbase.coprocessor.regionserver.classes}} and > {{hbase.coprocessor.region.classes}} and {{hbase.coprocessor.master.classes}} > should be something like this: > - get the list of co-processors and put them to a set. > - If security is enabled, then add either ranger or hbase native AC > coprocessors to the set > - Else remove the AC and ranger AC coprocessors from the list > - write the configurations to hbase-site. > > > Diffs > ----- > > > ambari-server/src/main/resources/common-services/HBASE/0.96.0.2.0/kerberos.json > 1de417f > > ambari-server/src/main/resources/common-services/HBASE/0.96.0.2.0/package/scripts/params_linux.py > bab2cc5 > ambari-server/src/main/resources/stacks/HDP/2.2/services/stack_advisor.py > 6645083 > ambari-server/src/test/python/stacks/2.2/common/test_stack_advisor.py > d3d2c3a > ambari-server/src/test/python/stacks/2.3/common/test_stack_advisor.py > 4db688c > > Diff: https://reviews.apache.org/r/40319/diff/ > > > Testing > ------- > > Jaimin D Jetly added a comment - 4 minutes ago > Tested the patch manually on a cluster. > Verified that all python unit tests passes with the patch: > ---------------------------------------------------------------------- > Ran 238 tests in 6.872s > OK > ---------------------------------------------------------------------- > Total run:832 > Total errors:0 > Total failures:0 > OK > > > Thanks, > > Jaimin Jetly > >
