[
https://issues.apache.org/jira/browse/HBASE-13425?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14679490#comment-14679490
]
Hadoop QA commented on HBASE-13425:
-----------------------------------
{color:red}-1 overall{color}. Here are the results of testing the latest
attachment
http://issues.apache.org/jira/secure/attachment/12749497/HBASE-13425.patch
against master branch at commit 5bdb0eb91290e306213bca62cea82c5d1b24d317.
ATTACHMENT ID: 12749497
{color:green}+1 @author{color}. The patch does not contain any @author
tags.
{color:green}+0 tests included{color}. The patch appears to be a
documentation patch that doesn't require tests.
{color:green}+1 hadoop versions{color}. The patch compiles with all
supported hadoop versions (2.4.0 2.4.1 2.5.0 2.5.1 2.5.2 2.6.0 2.7.0)
{color:green}+1 javac{color}. The applied patch does not increase the
total number of javac compiler warnings.
{color:green}+1 protoc{color}. The applied patch does not increase the
total number of protoc compiler warnings.
{color:green}+1 javadoc{color}. The javadoc tool did not generate any
warning messages.
{color:green}+1 checkstyle{color}. The applied patch does not increase the
total number of checkstyle errors
{color:green}+1 findbugs{color}. The patch does not introduce any new
Findbugs (version 2.0.3) warnings.
{color:green}+1 release audit{color}. The applied patch does not increase
the total number of release audit warnings.
{color:red}-1 lineLengths{color}. The patch introduces the following lines
longer than 100:
+ZooKeeper has a pluggable authentication mechanism to enable access from
clients using different methods. ZooKeeper even allows authenticated and
un-authenticated clients at the same time. The access to znodes can be
restricted by providing Access Control Lists (ACLs) per znode. An ACL contains
two components, the authentication method and the principal. ACLs are NOT
enforced hierarchically. See
link:https://zookeeper.apache.org/doc/r3.3.6/zookeeperProgrammers.html#sc_ZooKeeperPluggableAuthentication[ZooKeeper
Programmers Guide] for details.
+HBase daemons authenticate to ZooKeeper via SASL and kerberos (See
<<zk.sasl.auth>>). HBase sets up the znode ACLs so that only the HBase user and
the configured hbase superuser (`hbase.superuser`) can access and modify the
data. In cases where ZooKeeper is used for service discovery or sharing state
with the client, the znodes created by HBase will also allow anyone (regardless
of authentication) to read these znodes (clusterId, master address, meta
location, etc), but only the HBase user can modify them.
+All of the data under management is kept under the root directory in the file
system (`hbase.rootdir`). Access to the data and WAL files in the filesystem
should be restricted so that users cannot bypass the HBase layer, and peek at
the underlying data files from the file system. HBase assumes the filesystem
used (HDFS or other) enforces permissions hierarchically. If sufficient
protection from the file system (both authorization and authentication) is not
provided, HBase level authorization control (ACLs, visibility labels, etc) is
meaningless since the user can always access the data from the file system.
+In secure mode, SecureBulkLoadEndpoint should be configured and used for
properly handing of users files created from MR jobs to the HBase daemons and
HBase user. The staging directory in the distributed file system used for bulk
load (`hbase.bulkload.staging.dir`, defaults to `/tmp/hbase-staging`) should
have (mode 711, or `rwx--x--x`) so that users can access the staging directory
created under that parent directory, but cannot do any other operation. See
<<hbase.secure.bulkload>> for how to configure SecureBulkLoadEndPoint.
{color:green}+1 site{color}. The mvn post-site goal succeeds with this patch.
{color:red}-1 core tests{color}. The patch failed these unit tests:
{color:red}-1 core zombie tests{color}. There are 3 zombie test(s):
at
org.apache.hadoop.hbase.client.TestMobRestoreSnapshotFromClient.testRestoreSnapshot(TestMobRestoreSnapshotFromClient.java:157)
at
org.apache.hadoop.hbase.client.TestCloneSnapshotFromClient.testCloneSnapshot(TestCloneSnapshotFromClient.java:171)
at
org.apache.hadoop.hbase.client.TestCloneSnapshotFromClient.testCloneSnapshot(TestCloneSnapshotFromClient.java:159)
at
org.apache.hadoop.hbase.client.TestBlockEvictionFromClient.testParallelGetsAndScanWithWrappedRegionScanner(TestBlockEvictionFromClient.java:749)
Test results:
https://builds.apache.org/job/PreCommit-HBASE-Build/15020//testReport/
Release Findbugs (version 2.0.3) warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/15020//artifact/patchprocess/newFindbugsWarnings.html
Checkstyle Errors:
https://builds.apache.org/job/PreCommit-HBASE-Build/15020//artifact/patchprocess/checkstyle-aggregate.html
Console output:
https://builds.apache.org/job/PreCommit-HBASE-Build/15020//console
This message is automatically generated.
> Documentation nit in REST Gateway impersonation section
> -------------------------------------------------------
>
> Key: HBASE-13425
> URL: https://issues.apache.org/jira/browse/HBASE-13425
> Project: HBase
> Issue Type: Improvement
> Components: documentation
> Affects Versions: 2.0.0
> Reporter: Jeremie Gomez
> Assignee: Misty Stanley-Jones
> Priority: Minor
> Fix For: 2.0.0
>
> Attachments: HBASE-13425.patch
>
>
> In section "55.8. REST Gateway Impersonation Configuration", there is another
> property that needs to be set (and thus documented).
> After this sentence ("To enable REST gateway impersonation, add the following
> to the hbase-site.xml file for every REST gateway."), we should add :
> <property>
> <name>hbase.rest.support.proxyuser</name>
> <value>true</value>
> </property>
> It not set, doing a curl call on the rest gateway gives the error "support
> for proxyuser is not configured".
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
