[
https://issues.apache.org/jira/browse/HBASE-15622?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Matteo Bertozzi updated HBASE-15622:
------------------------------------
Resolution: Fixed
Assignee: Matteo Bertozzi
Status: Resolved (was: Patch Available)
committed the patch on every branch 0.98+
I'm keeping my secure cluster configured this way, until we can get a unit-test
in.
> Superusers does not consider the keytab credentials
> ---------------------------------------------------
>
> Key: HBASE-15622
> URL: https://issues.apache.org/jira/browse/HBASE-15622
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 2.0.0, 1.2.0, 1.3.0, 1.1.4, 0.98.16.1
> Reporter: Matteo Bertozzi
> Assignee: Matteo Bertozzi
> Priority: Critical
> Fix For: 2.0.0, 1.3.0, 0.98.19, 1.1.5, 1.2.2
>
> Attachments: HBASE-15622-v0.patch
>
>
> After HBASE-13755 the superuser we add by default (the process running hbase)
> does not take in consideration the keytab credential.
> We have an env with the process user being hbase and the keytab being
> hbasefoo.
> from Superusers TRACE I see, the hbase being picked up
> {noformat}
> TRACE Superusers: Current user name is hbase
> {noformat}
> from the RS audit I see the hbasefoo making requests
> {noformat}
> "allowed":true,"serviceName":"HBASE-1","username":"hbasefoo...
> {noformat}
> looking at the code in HRegionServer we do
> {code}
> public HRegionServer(Configuration conf, CoordinatedStateManager csm)
> throws IOException {
> ...
> this.userProvider = UserProvider.instantiate(conf);
> Superusers.initialize(conf);
> ..
> // login the server principal (if using secure Hadoop)
> login(userProvider, hostName);
> ..
> {code}
> Before HBASE-13755 we were initializing the super user in the ACL
> coprocessor, so after the login. but now we do that before the login.
> I'm not sure if we can just move the Superuser.initialize() after the login
> [~mantonov]?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
