[ https://issues.apache.org/jira/browse/HBASE-15622?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15244308#comment-15244308 ]
Hudson commented on HBASE-15622: -------------------------------- FAILURE: Integrated in HBase-0.98-matrix #330 (See [https://builds.apache.org/job/HBase-0.98-matrix/330/]) HBASE-15622 Superusers does not consider the keytab credentials (matteo.bertozzi: rev a3846b1329f5554225351d6142c33650c1c7d9db) * hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/HRegionServer.java > Superusers does not consider the keytab credentials > --------------------------------------------------- > > Key: HBASE-15622 > URL: https://issues.apache.org/jira/browse/HBASE-15622 > Project: HBase > Issue Type: Bug > Components: security > Affects Versions: 2.0.0, 1.2.0, 1.3.0, 1.1.4, 0.98.16.1 > Reporter: Matteo Bertozzi > Assignee: Matteo Bertozzi > Priority: Critical > Fix For: 2.0.0, 1.3.0, 0.98.19, 1.1.5, 1.2.2 > > Attachments: HBASE-15622-v0.patch > > > After HBASE-13755 the superuser we add by default (the process running hbase) > does not take in consideration the keytab credential. > We have an env with the process user being hbase and the keytab being > hbasefoo. > from Superusers TRACE I see, the hbase being picked up > {noformat} > TRACE Superusers: Current user name is hbase > {noformat} > from the RS audit I see the hbasefoo making requests > {noformat} > "allowed":true,"serviceName":"HBASE-1","username":"hbasefoo... > {noformat} > looking at the code in HRegionServer we do > {code} > public HRegionServer(Configuration conf, CoordinatedStateManager csm) > throws IOException { > ... > this.userProvider = UserProvider.instantiate(conf); > Superusers.initialize(conf); > .. > // login the server principal (if using secure Hadoop) > login(userProvider, hostName); > .. > {code} > Before HBASE-13755 we were initializing the super user in the ACL > coprocessor, so after the login. but now we do that before the login. > I'm not sure if we can just move the Superuser.initialize() after the login > [~mantonov]? -- This message was sent by Atlassian JIRA (v6.3.4#6332)