[jira] [Commented] (OOZIE-1646) HBase Table Copy between two HBase servers doesn't work with Kerberos

Tue, 17 Dec 2013 16:21:06 -0800 

    [ 
https://issues.apache.org/jira/browse/OOZIE-1646?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13851149#comment-13851149
 ] 

Robert Kanter commented on OOZIE-1646:
--------------------------------------

{quote}Yes. (Code: getActionCredentialsProperties() - String[] credNames = 
credsInAction.split(","); ){quote}
That's good.  I've created OOZIE- to update the documentation.  


{quote}You are right about tokens of same kind being overwritten. That 
definitely needs to be fixed. But instead of checking specifically for hbase, 
can we use a unique key by adding kind+service for all tokens.{quote}
When we were looking at this, Alejandro did some research into what the "alias" 
is in {{addToken(alias, token)}}.  Long story short, its an unfortunate remnant 
that doesn't really correspond to anything today.  I haven't check myself, but 
in Hadoop 0.23+ there's supposed to be a {{addDelegationTokens(renewer, 
credentials)}} that gets away from the "alias"; though I suppose we can't use 
that as long as we're supporting Hadoop 1.x.  Using kind+service sounds like a 
good idea to create a unique key; my only concern is that it might break other 
components depending on how they are looking for their tokens.  If they are 
iterating through tokens looking for a specific kind, then this should be fine; 
but if they are passing the kind as the alias, like we're currently doing, then 
it will break.  That's why I only changed it for HBase to be on the safe side.  
I suppose we could go through the other projects and check...

> HBase Table Copy between two HBase servers doesn't work with Kerberos
> ---------------------------------------------------------------------
>
>                 Key: OOZIE-1646
>                 URL: https://issues.apache.org/jira/browse/OOZIE-1646
>             Project: Oozie
>          Issue Type: Improvement
>          Components: action, security
>    Affects Versions: 3.3.2, 4.0.0
>            Reporter: Robert Kanter
>            Assignee: Robert Kanter
>         Attachments: OOZIE-1646.patch
>
>
> If you try to use the Java action to do an HBase copy between two HBase 
> servers with Kerberos, it will fail.  We need to update the 
> {{HbaseCredentials}} to support acquiring *two* HBase delegation tokens.  



--
This message was sent by Atlassian JIRA
(v6.1.4#6159)

Reply via email to