[
https://issues.apache.org/jira/browse/HBASE-14865?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15099056#comment-15099056
]
Appy commented on HBASE-14865:
------------------------------
[~tedyu] Seems like unlike failures seen by Matteo, your's isn't dependent on
hadoop.
Just to make it clear for future reference, there are two separate failures
here:
1. 'No valid credentials' error. This has been debugged and is explained
[above|https://issues.apache.org/jira/browse/HBASE-14865?focusedCommentId=15097526&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-15097526].
{noformat}
Expected: (an instance of javax.security.sasl.SaslException and exception with
message a string containing "No common protection layer between client and
server")
but: an instance of javax.security.sasl.SaslException <GSSException: No
valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)>
is a org.ietf.jgss.GSSException
Stacktrace was: GSSException: No valid credentials provided (Mechanism level:
Failed to find any Kerberos tgt)
{noformat}
2. 'Null realm name': Will work on it next.
{noformat}
testRpcCallWithEnabledKerberosSaslAuth(org.apache.hadoop.hbase.security.TestSecureIPC)
Time elapsed: 0.049 sec <<< ERROR!
java.io.IOException: Login failure for hbase/[email protected] from keytab
/Users/tyu/trunk/hbase-server/target/test-data/76d0c754-8dca-4c88-9933-b5a77646a750/keytab:
javax.security.auth.login.LoginException: Null realm name (601)
{noformat}
> Support passing multiple QOPs to SaslClient/Server via hbase.rpc.protection
> ---------------------------------------------------------------------------
>
> Key: HBASE-14865
> URL: https://issues.apache.org/jira/browse/HBASE-14865
> Project: HBase
> Issue Type: Improvement
> Components: security
> Reporter: Appy
> Assignee: Appy
> Attachments: 14865-master-v7.patch, HBASE-14865-branch-1.2.patch,
> HBASE-14865-branch-1.patch, HBASE-14865-branch-1.patch,
> HBASE-14865-master-v2.patch, HBASE-14865-master-v3.patch,
> HBASE-14865-master-v4.patch, HBASE-14865-master-v5.patch,
> HBASE-14865-master-v6.patch, HBASE-14865-master-v7.patch,
> HBASE-14865-master.patch
>
>
> Currently, we can set the value of hbase.rpc.protection to one of
> authentication/integrity/privacy. It is the used to set
> {{javax.security.sasl.qop}} in SaslUtil.java.
> The problem is, if a cluster wants to switch from one qop to another, it'll
> have to take a downtime. Rolling upgrade will create a situation where some
> nodes have old value and some have new, which'll prevent any communication
> between them. There will be similar issue when clients will try to connect.
> {{javax.security.sasl.qop}} can take in a list of QOP in preferences order.
> So a transition from qop1 to qop2 can be easily done like this
> "qop1" --> "qop2,qop1" --> rolling restart --> "qop2" --> rolling restart
> Need to change hbase.rpc.protection to accept a list too.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
