[
https://issues.apache.org/jira/browse/HBASE-14865?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15097526#comment-15097526
]
Appy commented on HBASE-14865:
------------------------------
So debugging the errors seen by matteo, here are the details:
The tests pass java version 1.7.0_75 but fails for java 1.7.0_80 and Java 8.
It's because [these 3 lines of compatibility
code|http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/7u40-b43/com/sun/security/auth/module/Krb5LoginModule.java#1067]
were removed somewhere in between those versions. As a result of which UGI in
hadoop-common makes wrong conclusion
[here|https://github.com/apache/hadoop/blob/branch-2.5.2/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java#L583]
that there is no keytab and fails to authenticate. The bug in UGI was fixed by
[HADOOP-11287|https://github.com/apache/hadoop/commit/0ee41612bb237331fc7130a6fb8b5e3366fcc221]
but only exists in 2.7.0+. So using java 1.7.0_80+ with hadoop-common <=
2.6.x, you'll definitely see this error.
QA didn't fail because master uses hadoop-common 2.7.0+.
The issue was always there but didn't surface earlier since all tests were only
testing code paths for correct execution, but none for failures, until this
patch added some.
If there is a hadoop release of 2.5.x or 2.6.x, we can ask them to backport the
fix. There's really nothing else we can do here (except a release note to
notify users).
[[email protected]], can you ptal at my assessment.
> Support passing multiple QOPs to SaslClient/Server via hbase.rpc.protection
> ---------------------------------------------------------------------------
>
> Key: HBASE-14865
> URL: https://issues.apache.org/jira/browse/HBASE-14865
> Project: HBase
> Issue Type: Improvement
> Components: security
> Reporter: Appy
> Assignee: Appy
> Attachments: HBASE-14865-branch-1.2.patch,
> HBASE-14865-branch-1.patch, HBASE-14865-branch-1.patch,
> HBASE-14865-master-v2.patch, HBASE-14865-master-v3.patch,
> HBASE-14865-master-v4.patch, HBASE-14865-master-v5.patch,
> HBASE-14865-master-v6.patch, HBASE-14865-master-v7.patch,
> HBASE-14865-master.patch
>
>
> Currently, we can set the value of hbase.rpc.protection to one of
> authentication/integrity/privacy. It is the used to set
> {{javax.security.sasl.qop}} in SaslUtil.java.
> The problem is, if a cluster wants to switch from one qop to another, it'll
> have to take a downtime. Rolling upgrade will create a situation where some
> nodes have old value and some have new, which'll prevent any communication
> between them. There will be similar issue when clients will try to connect.
> {{javax.security.sasl.qop}} can take in a list of QOP in preferences order.
> So a transition from qop1 to qop2 can be easily done like this
> "qop1" --> "qop2,qop1" --> rolling restart --> "qop2" --> rolling restart
> Need to change hbase.rpc.protection to accept a list too.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
