[jira] [Created] (STORM-1647) AutoHBase doesn't send delegation token

[Matt McDowell (JIRA)]

Matt McDowell created STORM-1647:
------------------------------------

             Summary: AutoHBase doesn't send delegation token
                 Key: STORM-1647
                 URL: https://issues.apache.org/jira/browse/STORM-1647
             Project: Apache Storm
          Issue Type: Bug
    Affects Versions: 0.10.0
            Reporter: Matt McDowell


When submitting a topology, Nimbus appears to pick up the delegation tokens as 
expected (the second log line is a call I added for testing this):

{code:title=nimbus.log}
2016-03-22 12:54:55.159 o.a.s.h.s.AutoHBase [INFO] Logged into Hbase as 
principal = st...@mist.cognitivesystems.com
2016-03-22 12:54:55.160 o.a.s.h.s.AutoHBase [INFO] AutoHBase proxyUser: 
flu...@mist.cognitivesystems.com (auth:PROXY) via 
st...@mist.cognitivesystems.com (auth:KERBEROS)
2016-03-22 12:54:55.971 o.a.s.h.s.AutoHBase [INFO] Obtained HBase tokens, 
adding to user credentials.
{code}

However, when my bolt starts up, it attempts to write to HBASE as storm instead 
of flurry:

{code:title=Flurry-1-1458664951-worker-6700.log}
2016-03-22 16:48:10.506 b.s.d.executor [ERROR] 
org.apache.hadoop.hbase.client.RetriesExhaustedWithDetailsException: Failed 1 
action: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient 
permissions (user=st...@mist.cognitivesystems.com, scope=########, 
family=##############, params=[table=########,family=########],action=WRITE)
{code}

if I go into SecurityAuth.audit, the HBASE regionserver receives a simple token 
instead of a proxy token:

{code:title=SecurityAuth.audit}
2016-03-22 16:55:20,903 INFO SecurityLogger.org.apache.hadoop.hbase.Server: 
Connection from ##.##.##.## port: 35551 with unknown version info
2016-03-22 16:55:20,903 INFO 
SecurityLogger.org.apache.hadoop.security.authorize.ServiceAuthorizationManager:
 Authorization successful for st...@mist.cognitivesystems.com (auth:TOKEN) for 
protocol=interface 
org.apache.hadoop.hbase.protobuf.generated.ClientProtos$ClientService$BlockingInterface
{code}

For reference, core-site.xml:

{code:title=core-site.xml}
hadoop.proxyuser.storm.groups = flurry
hadoop.proxyuser.storm.hosts = *
{code}

And storm.yaml:

{code:title=storm.yaml}
hbase.kerberos.principal : 'st...@mist.cognitivesystems.com'
hbase.keytab.file : '/etc/security/keytabs/storm.headless.keytab'
nimbus.autocredential.plugins.classes : 
['org.apache.storm.hbase.security.AutoHBase']
nimbus.credential.renewers.classes : 
['org.apache.storm.hbase.security.AutoHBase']
nimbus.credential.renewers.freq.secs : 82800
{code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)