[
https://issues.apache.org/jira/browse/AMBARI-13897?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15005552#comment-15005552
]
Hadoop QA commented on AMBARI-13897:
------------------------------------
{color:green}+1 overall{color}. Here are the results of testing the latest
attachment
http://issues.apache.org/jira/secure/attachment/12772351/AMBARI-13897.patch
against trunk revision .
{color:green}+1 @author{color}. The patch does not contain any @author
tags.
{color:green}+1 tests included{color}. The patch appears to include 2 new
or modified test files.
{color:green}+1 javac{color}. The applied patch does not increase the
total number of javac compiler warnings.
{color:green}+1 release audit{color}. The applied patch does not increase
the total number of release audit warnings.
{color:green}+1 core tests{color}. The patch passed unit tests in
ambari-server.
Test results:
https://builds.apache.org/job/Ambari-trunk-test-patch/4292//testReport/
Console output:
https://builds.apache.org/job/Ambari-trunk-test-patch/4292//console
This message is automatically generated.
> Ambari does not configure hbase.coprocessor.regionserver.classes
> -----------------------------------------------------------------
>
> Key: AMBARI-13897
> URL: https://issues.apache.org/jira/browse/AMBARI-13897
> Project: Ambari
> Issue Type: Bug
> Components: ambari-server
> Affects Versions: 2.1.0
> Reporter: Jaimin D Jetly
> Assignee: Jaimin D Jetly
> Priority: Critical
> Fix For: 2.1.3
>
> Attachments: AMBARI-13897.patch
>
>
> In a newly installed cluster with security and ranger, I cannot find
> {{hbase.coprocessor.regionserver.classes}} configured which is needed to
> protect some of the direct RPC's to the regionserver (stopping regionserver
> is an example).
> In a proper cluster all *three* properties should be configured:
> {code}
> <property>
> <name>hbase.coprocessor.region.classes</name>
> <value>org.apache.hadoop.hbase.security.token.TokenProvider,
> org.apache.hadoop.hbase.security.access.AccessController,org.apache.hadoop.hbase.security.access.SecureBulkLoadEndpoint</value>
> </property>
> <property>
> <name>hbase.coprocessor.master.classes</name>
> <value>org.apache.hadoop.hbase.security.access.AccessController</value>
> </property>
> <property>
> <name>hbase.coprocessor.regionserver.classes</name>
> <value>org.apache.hadoop/hbase.security.access.AccessController</value>
> </property>
> {code}
> In stackadvisor, I can see that we are configuring
> {{hbase.coprocessor.regionserver.classes}}, but somehow in a newly installed
> cluster, I don't find the setting in hbase-site.xml.
> There are a couple of action items from this jira:
> # Make sure that {{hbase.coprocessor.regionserver.classes}} is configured
> properly for secure clusters.
> # reading the stackadvisor code, it can be improved so that if the customer
> has configured other coprocessors, they are not lost. The logic for
> {{hbase.coprocessor.regionserver.classes}} and
> {{hbase.coprocessor.region.classes}} and {{hbase.coprocessor.master.classes}}
> should be something like this:
> - get the list of co-processors and put them to a set.
> - If security is enabled, then add either ranger or hbase native AC
> coprocessors to the set
> - Else remove the AC and ranger AC coprocessors from the list
> - write the configurations to hbase-site.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
