[
https://issues.apache.org/jira/browse/OOZIE-2419?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Harsh J updated OOZIE-2419:
---------------------------
Description:
The method we are using for obtaining tokens from HBase in
HbaseCredentials.java does not appear to be proxying correctly. It obtains a
token for the Oozie server user instead of the proxied user, causing a problem
inside workflow actions that reference it.
Here's a demonstration (the first method is how Oozie does it today, and the
second method is a more manual one which works correctly instead):
{code}
import org.apache.hadoop.hbase.HBaseConfiguration;
import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.hbase.security.token.AuthenticationTokenIdentifier;
import org.apache.hadoop.hbase.security.token.TokenUtil;
import org.apache.hadoop.mapred.JobConf;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.security.token.TokenIdentifier;
import java.security.PrivilegedAction;
import java.security.PrivilegedExceptionAction;
public class Main {
public static void main(String[] args) throws Exception {
String user = "harsh";
UserGroupInformation ugi = UserGroupInformation.createProxyUser(user,
UserGroupInformation.getLoginUser());
User u = User.create(ugi);
JobConf conf = new JobConf(HBaseConfiguration.create());
u.obtainAuthTokenForJob(conf);
for (Token<? extends TokenIdentifier> token :
conf.getCredentials().getAllTokens()) {
System.out.println(token.getKind());
System.out.println(token.decodeIdentifier().getUser());
}
System.out.println();
final JobConf conf2 = new JobConf(HBaseConfiguration.create());
Token<AuthenticationTokenIdentifier> token = u.runAs(new
PrivilegedExceptionAction<Token<AuthenticationTokenIdentifier>>() {
public Token<AuthenticationTokenIdentifier> run() throws Exception {
return TokenUtil.obtainToken(conf2);
}
});
conf2.getCredentials().addToken(token.getService(), token);
for (Token<? extends TokenIdentifier> token2 :
conf2.getCredentials().getAllTokens()) {
System.out.println(token2.getKind());
System.out.println(token2.decodeIdentifier().getUser());
}
}
}
// kinit -kt oozie.keytab oozie/$(hostname -f)
// javac -cp $(hbase classpath) Main.java
// java -cp $PWD:$(hbase classpath) Main
{code}
This prints:
{code}
HBASE_AUTH_TOKEN
[email protected] (auth:SIMPLE)
HBASE_AUTH_TOKEN
harsh (auth:SIMPLE)
{code}
The first token is identified as the server user, vs. the required proxied user
string.
was:
The method we are using for obtaining tokens from HBase in
HbaseCredentials.java does not appear to be proxying correctly. It obtains a
token for the Oozie server user instead of the proxied user, causing a problem
inside workflow actions that reference it.
Here's a demonstration (the first method is how Oozie does it today, and the
second method is a more manual one which works correctly instead):
{code}
import org.apache.hadoop.hbase.HBaseConfiguration;
import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.hbase.security.token.AuthenticationTokenIdentifier;
import org.apache.hadoop.hbase.security.token.TokenUtil;
import org.apache.hadoop.mapred.JobConf;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.security.token.TokenIdentifier;
import java.security.PrivilegedAction;
import java.security.PrivilegedExceptionAction;
public class Main {
public static void main(String[] args) throws Exception {
String user = "harsh";
UserGroupInformation ugi = UserGroupInformation.createProxyUser(user,
UserGroupInformation.getLoginUser());
User u = User.create(ugi);
JobConf conf = new JobConf(HBaseConfiguration.create());
u.obtainAuthTokenForJob(conf);
for (Token<? extends TokenIdentifier> token :
conf.getCredentials().getAllTokens()) {
System.out.println(token.getKind());
System.out.println(token.decodeIdentifier().getUser());
}
System.out.println();
final JobConf conf2 = new JobConf(HBaseConfiguration.create());
Token<AuthenticationTokenIdentifier> token = u.runAs(new
PrivilegedExceptionAction<Token<AuthenticationTokenIdentifier>>() {
public Token<AuthenticationTokenIdentifier> run() throws Exception {
return TokenUtil.obtainToken(conf2);
}
});
conf2.getCredentials().addToken(token.getService(), token);
for (Token<? extends TokenIdentifier> token2 :
conf2.getCredentials().getAllTokens()) {
System.out.println(token2.getKind());
System.out.println(token2.decodeIdentifier().getUser());
}
}
}
// javac -cp $(hbase classpath) Main.java
// java -cp $PWD:$(hbase classpath) Main
{code}
This prints:
{code}
HBASE_AUTH_TOKEN
[email protected] (auth:SIMPLE)
HBASE_AUTH_TOKEN
harsh (auth:SIMPLE)
{code}
The first token is identified as the server user, vs. the required proxied user
string.
> HBase credentials are not correctly proxied
> -------------------------------------------
>
> Key: OOZIE-2419
> URL: https://issues.apache.org/jira/browse/OOZIE-2419
> Project: Oozie
> Issue Type: Bug
> Reporter: Harsh J
>
> The method we are using for obtaining tokens from HBase in
> HbaseCredentials.java does not appear to be proxying correctly. It obtains a
> token for the Oozie server user instead of the proxied user, causing a
> problem inside workflow actions that reference it.
> Here's a demonstration (the first method is how Oozie does it today, and the
> second method is a more manual one which works correctly instead):
> {code}
> import org.apache.hadoop.hbase.HBaseConfiguration;
> import org.apache.hadoop.hbase.security.User;
> import org.apache.hadoop.hbase.security.token.AuthenticationTokenIdentifier;
> import org.apache.hadoop.hbase.security.token.TokenUtil;
> import org.apache.hadoop.mapred.JobConf;
> import org.apache.hadoop.security.UserGroupInformation;
> import org.apache.hadoop.security.token.Token;
> import org.apache.hadoop.security.token.TokenIdentifier;
> import java.security.PrivilegedAction;
> import java.security.PrivilegedExceptionAction;
> public class Main {
> public static void main(String[] args) throws Exception {
> String user = "harsh";
> UserGroupInformation ugi =
> UserGroupInformation.createProxyUser(user,
> UserGroupInformation.getLoginUser());
> User u = User.create(ugi);
> JobConf conf = new JobConf(HBaseConfiguration.create());
> u.obtainAuthTokenForJob(conf);
> for (Token<? extends TokenIdentifier> token :
> conf.getCredentials().getAllTokens()) {
> System.out.println(token.getKind());
> System.out.println(token.decodeIdentifier().getUser());
> }
> System.out.println();
> final JobConf conf2 = new JobConf(HBaseConfiguration.create());
> Token<AuthenticationTokenIdentifier> token = u.runAs(new
> PrivilegedExceptionAction<Token<AuthenticationTokenIdentifier>>() {
> public Token<AuthenticationTokenIdentifier> run() throws
> Exception {
> return TokenUtil.obtainToken(conf2);
> }
> });
> conf2.getCredentials().addToken(token.getService(), token);
> for (Token<? extends TokenIdentifier> token2 :
> conf2.getCredentials().getAllTokens()) {
> System.out.println(token2.getKind());
> System.out.println(token2.decodeIdentifier().getUser());
> }
> }
> }
> // kinit -kt oozie.keytab oozie/$(hostname -f)
> // javac -cp $(hbase classpath) Main.java
> // java -cp $PWD:$(hbase classpath) Main
> {code}
> This prints:
> {code}
> HBASE_AUTH_TOKEN
> [email protected] (auth:SIMPLE)
> HBASE_AUTH_TOKEN
> harsh (auth:SIMPLE)
> {code}
> The first token is identified as the server user, vs. the required proxied
> user string.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
