Dmitry Lysnichenko created AMBARI-16084:
-------------------------------------------

             Summary: [RU] Hbase is losing table access permissions during 
upgrade.
                 Key: AMBARI-16084
                 URL: https://issues.apache.org/jira/browse/AMBARI-16084
             Project: Ambari
          Issue Type: Bug
            Reporter: Dmitry Lysnichenko
            Assignee: Dmitry Lysnichenko
         Attachments: AMBARI-16084.patch


So here's where we are:

- https://reviews.apache.org/r/45890/diff/2#index_header removed hard-coded 
python code which was trying to figure out which coprocessor to use. With these 
values gone, it's now up to Ambari to set the _right_ value in the 
configurations.

- However, after removing the above code, we never change the ranger 
configurations to reflect the proper value

- To fix this, we need to fix the values on Ambari upgrade. When upgrading 
Ambari from 2.0, we'll need to do the following:
-- If Ranger is disabled; do nothing
-- If Ranger is enabled and the cluster's current stack is HDP 2.2, then set 
the master/region coprocessors to
{code}
hbase_coprocessor_master_classes = 
"com.xasecure.authorization.hbase.XaSecureAuthorizationCoprocessor"
hbase_coprocessor_regionserver_classes = 
"com.xasecure.authorization.hbase.XaSecureAuthorizationCoprocessor"
hbase_coprocessor_region_classes = 
"org.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.SecureBulkLoadEndpoint,com.xasecure.authorization.hbase.XaSecureAuthorizationCoprocessor"
{code}
-- If Ranger is enabled and the cluster's current stack is HDP 2.3, then set 
the master/region coprocessors to
{code}
hbase_coprocessor_master_classes = 
"org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor "
hbase_coprocessor_regionserver_classes = 
"org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor"
hbase_coprocessor_region_classes = 
"org.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.SecureBulkLoadEndpoint,org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor"
{code}

Now HDP stack upgrades will work since we look for 
{{XaSecureAuthorizationCoprocessor}} and change it to 
{{RangerAuthorizationCoprocessor}} as needed.





--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to