[jira] [Created] (HBASE-11089) Use proxy user for security integration test where multiple users are needed

[Ted Yu (JIRA)]

Ted Yu created HBASE-11089:
------------------------------

             Summary: Use proxy user for security integration test where 
multiple users are needed
                 Key: HBASE-11089
                 URL: https://issues.apache.org/jira/browse/HBASE-11089
             Project: HBase
          Issue Type: Task
            Reporter: Ted Yu


We have seen the following test failure:
{code}
2014-02-06 02:58:25,315|beaver.machine|INFO|RUNNING: /usr/bin/kinit -c 
/grid/0/hadoopqe/artifacts/kerberosTickets/hbase.kerberos.ticket -k -t 
/home/hrt_qa/hadoopqa/keytabs/hbase.headless.keytab hbase
2014-02-06 02:58:25,325|beaver.machine|INFO|RUNNING: /usr/lib/hbase/bin/hbase 
--config /tmp/hbaseConf org.apache.hadoop.hbase.IntegrationTestsDriver -regex 
IntegrationTestIngestWithACL

2014-02-06 02:58:34,489|beaver.machine|INFO|2014-02-06 02:58:34,489 DEBUG 
HBaseWriterThreadWithACL_1 token.AuthenticationTokenSelector: No matching token 
found
2014-02-06 02:58:34,493|beaver.machine|INFO|2014-02-06 02:58:34,489 DEBUG 
HBaseWriterThreadWithACL_1 security.HBaseSaslRpcClient: Creating SASL GSSAPI 
client. Server's Kerberos principal name is 
hbase/h2-ubuntu12-sec-1391405488-hbase-7.cs1cloud.inter...@example.com
2014-02-06 02:58:34,493|beaver.machine|INFO|2014-02-06 02:58:34,491 WARN 
HBaseWriterThreadWithACL_1 security.UserGroupInformation: 
PriviledgedActionException as:owner (auth:SIMPLE) 
cause:javax.security.sasl.SaslException: GSS initiate failed Caused by 
GSSException: No valid credentials provided (Mechanism level: Failed to find 
any Kerberos tgt)
2014-02-06 02:58:34,493|beaver.machine|INFO|2014-02-06 02:58:34,492 WARN 
HBaseWriterThreadWithACL_1 ipc.RpcClient: Exception encountered while 
connecting to the server : javax.security.sasl.SaslException: GSS initiate 
failed Caused by GSSException: No valid credentials provided (Mechanism level: 
Failed to find any Kerberos tgt)
2014-02-06 02:58:34,498|beaver.machine|INFO|2014-02-06 02:58:34,493 FATAL 
HBaseWriterThreadWithACL_1 ipc.RpcClient: SASL authentication failed. The most 
likely cause is missing or invalid credentials. Consider 'kinit'.
2014-02-06 02:58:34,499|beaver.machine|INFO|javax.security.sasl.SaslException: 
GSS initiate failed Caused by GSSException: No valid credentials provided 
(Mechanism level: Failed to find any Kerberos tgt)
2014-02-06 02:58:34,499|beaver.machine|INFO|at 
com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:194)
2014-02-06 02:58:34,499|beaver.machine|INFO|at 
org.apache.hadoop.hbase.security.HBaseSaslRpcClient.saslConnect(HBaseSaslRpcClient.java:152)
2014-02-06 02:58:34,500|beaver.machine|INFO|at 
org.apache.hadoop.hbase.ipc.RpcClient$Connection.setupSaslConnection(RpcClient.java:762)
{code}
The above test failure was due to the second user in the test not being able to 
authenticate using kerberos.

This can be solved using impersonation which is described here : 
http://hadoop.apache.org/docs/r1.2.1/Secure_Impersonation.html

The superuser needs to authenticate using kerberos. The superuser can 
impersonate any member of the specified groups.




--
This message was sent by Atlassian JIRA
(v6.2#6252)