[jira] [Commented] (HBASE-14579) Users authenticated with KERBEROS are recorded as being authenticated with SIMPLE

Fri, 30 Oct 2015 06:45:56 -0700 

    [ 
https://issues.apache.org/jira/browse/HBASE-14579?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14982571#comment-14982571
 ] 

Nicolas Liochon commented on HBASE-14579:
-----------------------------------------

> Does this also happen for users authenticated with authentication tokens 
> ("auth:SIMPLE" instead of "auth:TOKEN" or "auth:DIGEST")? 
For digest, I tink it's ok, the code is RpcServer is

{code}
    private UserGroupInformation getAuthorizedUgi(String authorizedId) throws 
IOException {
      if(this.authMethod == AuthMethod.DIGEST) {
        TokenIdentifier tokenId = 
HBaseSaslRpcServer.getIdentifier(authorizedId, RpcServer.this.secretManager);
        UserGroupInformation ugi = tokenId.getUser();
        if(ugi == null) {
          throw new AccessDeniedException("Can\'t retrieve username from 
tokenIdentifier.");
        } else {
          ugi.addTokenIdentifier(tokenId);
          return ugi;
        }
      } else {
        return UserGroupInformation.createRemoteUser(authorizedId); 
<==================== auth method replaced by "SIMPLE"
      }
    }
{code}


> The latest patch (v3) for HBASE-14700 contains a fix for the UGI auth method 
> logged. Please take a look there if you have a chance.
Looking...

> Users authenticated with KERBEROS are recorded as being authenticated with 
> SIMPLE
> ---------------------------------------------------------------------------------
>
>                 Key: HBASE-14579
>                 URL: https://issues.apache.org/jira/browse/HBASE-14579
>             Project: HBase
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 1.0.0, 1.2.0, 0.98.15
>            Reporter: Nicolas Liochon
>            Assignee: Nicolas Liochon
>            Priority: Minor
>             Fix For: 2.0.0
>
>         Attachments: hbase-14579.patch
>
>
> That's the HBase version of HADOOP-10683.
> We see:
> ??hbase.Server (RpcServer.java:saslReadAndProcess(1446)) - Auth successful 
> for securedUser/localh...@example.com (auth:SIMPLE)??
> while we would like to see:
> ??hbase.Server (RpcServer.java:saslReadAndProcess(1446)) - Auth successful 
> for securedUser/localh...@example.com (auth:KERBEROS)??
> The fix is simple, but it means we need hadoop 2.5+. 
> There is also a lot of cases where HBase calls "createUser" w/o specifying 
> the authentication method... I don"'t have the solution for these ones.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to