[
https://issues.apache.org/jira/browse/OOZIE-1646?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13850995#comment-13850995
]
Robert Kanter commented on OOZIE-1646:
--------------------------------------
How do you provide multiple credentials to the action? Just make it comma
separated? e.g. cred="foo,bar"
(We should add documentation on how to do that)
In any case, in the {{JavaActionExecutor}} we are currently copying the tokens
via their kind:
{code:java}
for (Token<? extends TokenIdentifier> tk :
credentialsConf.getCredentials().getAllTokens()) {
LOG.debug("ADDING TOKEN: " + tk.getKind().toString());
launcherJobConf.getCredentials().addToken(tk.getKind(), tk);
}
{code}
However, both hbase tokens will have the same kind (i.e. {{HBASE_AUTH_TOKEN}}),
and {{addToken(...)}} is simply putting them into a {{Map}}, so the second
hbase token will replace the first hbase token. That's why the patch uses the
service instead of the kind. So, even if you can use multiple credentials
sections, wouldn't thins cause it not to work?
> HBase Table Copy between two HBase servers doesn't work with Kerberos
> ---------------------------------------------------------------------
>
> Key: OOZIE-1646
> URL: https://issues.apache.org/jira/browse/OOZIE-1646
> Project: Oozie
> Issue Type: Improvement
> Components: action, security
> Affects Versions: 3.3.2, 4.0.0
> Reporter: Robert Kanter
> Assignee: Robert Kanter
> Attachments: OOZIE-1646.patch
>
>
> If you try to use the Java action to do an HBase copy between two HBase
> servers with Kerberos, it will fail. We need to update the
> {{HbaseCredentials}} to support acquiring *two* HBase delegation tokens.
--
This message was sent by Atlassian JIRA
(v6.1.4#6159)
