[jira] [Commented] (HBASE-15622) Superusers does not consider the keytab credentials

Sat, 16 Apr 2016 10:11:48 -0700 

    [ 
https://issues.apache.org/jira/browse/HBASE-15622?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15244308#comment-15244308
 ] 

Hudson commented on HBASE-15622:
--------------------------------

FAILURE: Integrated in HBase-0.98-matrix #330 (See 
[https://builds.apache.org/job/HBase-0.98-matrix/330/])
HBASE-15622 Superusers does not consider the keytab credentials 
(matteo.bertozzi: rev a3846b1329f5554225351d6142c33650c1c7d9db)
* 
hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/HRegionServer.java


> Superusers does not consider the keytab credentials
> ---------------------------------------------------
>
>                 Key: HBASE-15622
>                 URL: https://issues.apache.org/jira/browse/HBASE-15622
>             Project: HBase
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.0.0, 1.2.0, 1.3.0, 1.1.4, 0.98.16.1
>            Reporter: Matteo Bertozzi
>            Assignee: Matteo Bertozzi
>            Priority: Critical
>             Fix For: 2.0.0, 1.3.0, 0.98.19, 1.1.5, 1.2.2
>
>         Attachments: HBASE-15622-v0.patch
>
>
> After HBASE-13755 the superuser we add by default (the process running hbase) 
> does not take in consideration the keytab credential.
> We have an env with the process user being hbase and the keytab being 
> hbasefoo.
> from Superusers TRACE I see, the hbase being picked up
> {noformat}
> TRACE Superusers: Current user name is hbase
> {noformat}
> from the RS audit I see the hbasefoo making requests
> {noformat}
> "allowed":true,"serviceName":"HBASE-1","username":"hbasefoo...
> {noformat}
> looking at the code in HRegionServer we do 
> {code}
> public HRegionServer(Configuration conf, CoordinatedStateManager csm)
>       throws IOException {
>    ...
>     this.userProvider = UserProvider.instantiate(conf);
>     Superusers.initialize(conf);
>    ..
>    // login the server principal (if using secure Hadoop)
>     login(userProvider, hostName);
>   ..
> {code}
> Before HBASE-13755 we were initializing the super user in the ACL 
> coprocessor, so after the login. but now we do that before the login.
> I'm not sure if we can just move the Superuser.initialize() after the login 
> [~mantonov]?



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to