[
https://issues.apache.org/jira/browse/PIG-2940?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13480997#comment-13480997
]
Rohini Palaniswamy commented on PIG-2940:
-----------------------------------------
Santosh,
At the moment it is not possible to have a unit test for this because of
security. Whole security code path in Hadoop itself does not have unit tests
primarily becoz of Kerberos. To actually add unit test to this, need a way to
first bring up secure mini Hadoop and hbase clusters.
Also hbase unit tests in pig do not run in 23 now. All stack components -
pig, hbase, etc are yet to publish jars in maven compiled with hadoop23. Need
to do that for pig with 0.11.
> HBaseStorage store fails in secure cluster
> ------------------------------------------
>
> Key: PIG-2940
> URL: https://issues.apache.org/jira/browse/PIG-2940
> Project: Pig
> Issue Type: Bug
> Reporter: Cheolsoo Park
> Assignee: Cheolsoo Park
> Labels: hbase
> Fix For: 0.11, 0.10.1
>
> Attachments: container_log, PIG-2940-2.patch, PIG-2940.patch
>
>
> To reproduce ths issue, please do the following in secure hadoop/hbase
> cluster:
> # On a gateway node, run kinit to obtain kerberos credentials and run a Pig
> script that includes a HBaseStorage load/store.
> # In the front-end, HBaseStorage obtains a delegation token from hbase server
> and adds it to the JobConf object.
> # In the back-end, mappers connect to hbase using the delegation token w/o
> kerberos credentials.
> While load-from-hbase works perfectly fine, store-to-hbase fails. This is
> because at step 3, mappers attempt to obtain a delegation token from hbase in
> the back-end.
> {code:title=setStoreLocation()}
> // Not setting a udf property and getting the hbase delegation token
> // only once like in setLocation as setStoreLocation gets different Job
> // objects for each call and the last Job passed is the one that is
> // launched. So we end up getting multiple hbase delegation tokens.
> addHBaseDelegationToken(m_conf, job);
> {code}
> The problem is that mappers in the back-end don't have kerberos credentials,
> so the call to addHBaseDelegationToken() fails with the following error:
> {code}
> 2012-09-30 14:33:42,310 ERROR [main]
> org.apache.hadoop.security.UserGroupInformation: PriviledgedActionException
> as:testuser (auth:SIMPLE)
> cause:org.apache.hadoop.hbase.security.AccessDeniedException:
> org.apache.hadoop.hbase.security.AccessDeniedException: Token generation only
> allowed for Kerberos authenticated clients
> at
> org.apache.hadoop.hbase.security.token.TokenProvider.getAuthenticationToken(TokenProvider.java:87)
> {code}
> This is not an issue with load because a delegation token is only obtained in
> the front-end for the first time when HBASE_TOKEN_SET is not set.
> {code:title=setLocation()}
> String delegationTokenSet = udfProps.getProperty(HBASE_TOKEN_SET);
> if (delegationTokenSet == null) {
> addHBaseDelegationToken(m_conf, job);
> udfProps.setProperty(HBASE_TOKEN_SET, "true");
> }
> {code}
> The proposed fix is to modify addHBaseDelegationToken() so that tokens are
> obtained only if the current user has kerberos credentials, which is true in
> the front-end while false in the back-end.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
