[
https://issues.apache.org/jira/browse/HBASE-2742?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13152799#comment-13152799
]
Hudson commented on HBASE-2742:
-------------------------------
Integrated in HBase-TRUNK #2455 (See
[https://builds.apache.org/job/HBase-TRUNK/2455/])
HBASE-2742 Provide strong authentication with a secure RPC engine
garyh :
Files :
* /hbase/trunk/CHANGES.txt
* /hbase/trunk/conf/hbase-policy.xml
* /hbase/trunk/pom.xml
* /hbase/trunk/security
* /hbase/trunk/security/src
* /hbase/trunk/security/src/main
* /hbase/trunk/security/src/main/java
* /hbase/trunk/security/src/main/java/org
* /hbase/trunk/security/src/main/java/org/apache
* /hbase/trunk/security/src/main/java/org/apache/hadoop
* /hbase/trunk/security/src/main/java/org/apache/hadoop/hbase
* /hbase/trunk/security/src/main/java/org/apache/hadoop/hbase/ipc
*
/hbase/trunk/security/src/main/java/org/apache/hadoop/hbase/ipc/SecureClient.java
*
/hbase/trunk/security/src/main/java/org/apache/hadoop/hbase/ipc/SecureConnectionHeader.java
*
/hbase/trunk/security/src/main/java/org/apache/hadoop/hbase/ipc/SecureRpcEngine.java
*
/hbase/trunk/security/src/main/java/org/apache/hadoop/hbase/ipc/SecureServer.java
* /hbase/trunk/security/src/main/java/org/apache/hadoop/hbase/security
*
/hbase/trunk/security/src/main/java/org/apache/hadoop/hbase/security/AccessDeniedException.java
*
/hbase/trunk/security/src/main/java/org/apache/hadoop/hbase/security/HBasePolicyProvider.java
*
/hbase/trunk/security/src/main/java/org/apache/hadoop/hbase/security/HBaseSaslRpcClient.java
*
/hbase/trunk/security/src/main/java/org/apache/hadoop/hbase/security/HBaseSaslRpcServer.java
* /hbase/trunk/security/src/main/java/org/apache/hadoop/hbase/security/token
*
/hbase/trunk/security/src/main/java/org/apache/hadoop/hbase/security/token/AuthenticationKey.java
*
/hbase/trunk/security/src/main/java/org/apache/hadoop/hbase/security/token/AuthenticationProtocol.java
*
/hbase/trunk/security/src/main/java/org/apache/hadoop/hbase/security/token/AuthenticationTokenIdentifier.java
*
/hbase/trunk/security/src/main/java/org/apache/hadoop/hbase/security/token/AuthenticationTokenSecretManager.java
*
/hbase/trunk/security/src/main/java/org/apache/hadoop/hbase/security/token/AuthenticationTokenSelector.java
*
/hbase/trunk/security/src/main/java/org/apache/hadoop/hbase/security/token/TokenProvider.java
*
/hbase/trunk/security/src/main/java/org/apache/hadoop/hbase/security/token/TokenUtil.java
*
/hbase/trunk/security/src/main/java/org/apache/hadoop/hbase/security/token/ZKSecretWatcher.java
* /hbase/trunk/security/src/test
* /hbase/trunk/security/src/test/java
* /hbase/trunk/security/src/test/java/org
* /hbase/trunk/security/src/test/java/org/apache
* /hbase/trunk/security/src/test/java/org/apache/hadoop
* /hbase/trunk/security/src/test/java/org/apache/hadoop/hbase
* /hbase/trunk/security/src/test/java/org/apache/hadoop/hbase/security
* /hbase/trunk/security/src/test/java/org/apache/hadoop/hbase/security/token
*
/hbase/trunk/security/src/test/java/org/apache/hadoop/hbase/security/token/TestTokenAuthentication.java
*
/hbase/trunk/security/src/test/java/org/apache/hadoop/hbase/security/token/TestZKSecretWatcher.java
* /hbase/trunk/security/src/test/resources
* /hbase/trunk/security/src/test/resources/hbase-site.xml
* /hbase/trunk/src/assembly/all.xml
* /hbase/trunk/src/main/java/org/apache/hadoop/hbase/HServerAddress.java
*
/hbase/trunk/src/main/java/org/apache/hadoop/hbase/client/HConnectionManager.java
* /hbase/trunk/src/main/java/org/apache/hadoop/hbase/ipc/ConnectionHeader.java
* /hbase/trunk/src/main/java/org/apache/hadoop/hbase/ipc/HBaseClient.java
* /hbase/trunk/src/main/java/org/apache/hadoop/hbase/ipc/HBaseRPC.java
* /hbase/trunk/src/main/java/org/apache/hadoop/hbase/ipc/HBaseRpcMetrics.java
* /hbase/trunk/src/main/java/org/apache/hadoop/hbase/ipc/HBaseServer.java
* /hbase/trunk/src/main/java/org/apache/hadoop/hbase/ipc/HMasterInterface.java
*
/hbase/trunk/src/main/java/org/apache/hadoop/hbase/ipc/HMasterRegionInterface.java
* /hbase/trunk/src/main/java/org/apache/hadoop/hbase/ipc/HRegionInterface.java
* /hbase/trunk/src/main/java/org/apache/hadoop/hbase/ipc/RequestContext.java
* /hbase/trunk/src/main/java/org/apache/hadoop/hbase/ipc/RpcEngine.java
* /hbase/trunk/src/main/java/org/apache/hadoop/hbase/ipc/WritableRpcEngine.java
*
/hbase/trunk/src/main/java/org/apache/hadoop/hbase/mapred/TableMapReduceUtil.java
*
/hbase/trunk/src/main/java/org/apache/hadoop/hbase/mapreduce/TableMapReduceUtil.java
* /hbase/trunk/src/main/java/org/apache/hadoop/hbase/master/HMaster.java
* /hbase/trunk/src/main/java/org/apache/hadoop/hbase/security/KerberosInfo.java
* /hbase/trunk/src/main/java/org/apache/hadoop/hbase/security/TokenInfo.java
* /hbase/trunk/src/main/java/org/apache/hadoop/hbase/security/User.java
*
/hbase/trunk/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKLeaderManager.java
* /hbase/trunk/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
* /hbase/trunk/src/main/resources/hbase-default.xml
* /hbase/trunk/src/test/java/org/apache/hadoop/hbase/MiniHBaseCluster.java
* /hbase/trunk/src/test/java/org/apache/hadoop/hbase/PerformanceEvaluation.java
*
/hbase/trunk/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZKLeaderManager.java
> Provide strong authentication with a secure RPC engine
> ------------------------------------------------------
>
> Key: HBASE-2742
> URL: https://issues.apache.org/jira/browse/HBASE-2742
> Project: HBase
> Issue Type: Improvement
> Components: ipc
> Reporter: Gary Helmling
> Assignee: Gary Helmling
> Priority: Critical
> Fix For: 0.92.0
>
> Attachments: HBASE-2742_10.patch
>
>
> The HBase RPC code (org.apache.hadoop.hbase.ipc.*) was originally forked off
> of Hadoop RPC classes, with some performance tweaks added. Those
> optimizations have come at a cost in keeping up with Hadoop RPC changes
> however, both bug fixes and improvements/new features.
> In particular, this impacts how we implement security features in HBase (see
> HBASE-1697 and HBASE-2016). The secure Hadoop implementation (HADOOP-4487)
> relies heavily on RPC changes to support client authentication via kerberos
> and securing and mutual authentication of client/server connections via SASL.
> Making use of the built-in Hadoop RPC classes will gain us these pieces for
> free in a secure HBase.
> So, I'm proposing that we drop the HBase forked version of RPC and convert to
> direct use of Hadoop RPC, while working to contribute important fixes back
> upstream to Hadoop core. Based on a review of the HBase RPC changes, the key
> divergences seem to be:
> HBaseClient:
> - added use of TCP keepalive (HBASE-1754)
> - made connection retries and sleep configurable (HBASE-1815)
> - prevent NPE if socket == null due to creation failure (HBASE-2443)
> HBaseRPC:
> - mapping of method names <-> codes (removed in HBASE-2219)
> HBaseServer:
> - use of TCP keep alives (HBASE-1754)
> - OOME in server does not trigger abort (HBASE-1198)
> HbaseObjectWritable:
> - allows List<> serialization
> - includes it's own class <-> code mapping (HBASE-328)
> Proposed process is:
> 1. open issues with patches on Hadoop core for important fixes/adjustments
> from HBase RPC (HBASE-1198, HBASE-1815, HBASE-1754, HBASE-2443, plus a
> pluggable ObjectWritable implementation in RPC.Invocation to allow use of
> HbaseObjectWritable).
> 2. ship a Hadoop version with RPC patches applied -- ideally we should avoid
> another copy-n-paste code fork, subject to ability to isolate changes from
> impacting Hadoop internal RPC wire formats
> 3. if all Hadoop core patches are applied we can drop back to a plain vanilla
> Hadoop version
> I realize there are many different opinions on how to proceed with HBase RPC,
> so I'm hoping this issue will kick off a discussion on what the best approach
> might be. My own motivation is maximizing re-use of the authentication and
> connection security work that's already gone into Hadoop core. I'll put
> together a set of patches around #1 and #2, but obviously we need some
> consensus around this to move forward. If I'm missing other differences
> between HBase and Hadoop RPC, please list as well. Discuss!
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
