> Andy - could you please start a discussion? > > We could, at the very least, mark UGI as LimitedPrivate for HBase and work > with you guys to maintain compatibility for the future. Makes sense? >
That would probably help for internal usage of UGI in the secure RPC engine. As Andy points out, we do already encapsulate UGI in our own org.apache.hadoop.hbase.security.User class (which uses reflection to account for the API incompatibilities) outside of the RPC engine. We do also make direct use of some other Hadoop security classes to implement secure RPC: org.apache.hadoop.security.authorize.PolicyProvider org.apache.hadoop.security.authorize.Service org.apache.hadoop.security.authorize.ServiceAuthorizationManager org.apache.hadoop.security.SaslInputStream org.apache.hadoop.security.SaslOutputStream org.apache.hadoop.security.token.SecretManager org.apache.hadoop.security.token.Token org.apache.hadoop.security.token.TokenIdentifier If we require Hadoop 1.0.0 then these others should at least be available, though I don't know the API stability of each. If we don't, then the best way towards a single build for release seems continuing towards modularization so that the security classes can be built in a separate jar and included in the classpath when enabled. Handling all of these interactions through reflection does not seem desirable (or sane) to me. --gh
