[jira] [Updated] (HBASE-17439) Make authentication Token retrieval amenable to coprocessor

Ted Yu (JIRA) Tue, 10 Jan 2017 13:55:08 -0800

     [ 
https://issues.apache.org/jira/browse/HBASE-17439?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Ted Yu updated HBASE-17439:
---------------------------
    Description: 
Here is snippet of stack trace from HBASE-17435:
{code}
        at 
org.apache.hadoop.hbase.backup.BackupObserver.preCommitStoreFile(BackupObserver.java:89)
        at 
org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$61.call(RegionCoprocessorHost.java:1494)
        at 
org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$RegionOperation.call(RegionCoprocessorHost.java:1660)
        at 
org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1734)
        at 
org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1692)
        at 
org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.preCommitStoreFile(RegionCoprocessorHost.java:1490)
        at 
org.apache.hadoop.hbase.regionserver.HRegion.bulkLoadHFiles(HRegion.java:5512)
        at 
org.apache.hadoop.hbase.security.access.SecureBulkLoadEndpoint$1.run(SecureBulkLoadEndpoint.java:293)
        at 
org.apache.hadoop.hbase.security.access.SecureBulkLoadEndpoint$1.run(SecureBulkLoadEndpoint.java:276)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:356)
        at 
org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1704)
        at 
org.apache.hadoop.hbase.security.access.SecureBulkLoadEndpoint.secureBulkLoadHFiles(SecureBulkLoadEndpoint.java:276)
{code}
The ugi obtained from RPC on the server side does not contain required Kerberos 
credentials to access hbase table. Hence the need to pass authentication Token 
from region server onto the ugi

In the course of solving HBASE-17435, [~jerryhe] and I noticed that it is 
cumbersome for other coprocessor (such as SecureBulkLoadEndpoint) to retrieve 
authentication Token from region server.

Currently a Connection is needed to communicate with TokenProvider. Care is 
needed not to introduce dead lock on the server side.

This JIRA is to investigate feasibility of bypassing Connection / TokenProvider 
in the retrieval of authentication Token for custom coprocessor. This involves 
some refactoring around AuthenticationTokenSecretManager.

  was:
In the course of solving HBASE-17435, [~jerryhe] and I noticed that it is 
cumbersome for other coprocessor (such as SecureBulkLoadEndpoint) to retrieve 
authentication Token from region server.
Currently a Connection is needed to communicate with TokenProvider. Care is 
needed not to introduce dead lock on the server side.

This JIRA is to investigate feasibility of bypassing Connection / TokenProvider 
in the retrieval of authentication Token for custom coprocessor. This involves 
some refactoring around AuthenticationTokenSecretManager.


> Make authentication Token retrieval amenable to coprocessor
> -----------------------------------------------------------
>
>                 Key: HBASE-17439
>                 URL: https://issues.apache.org/jira/browse/HBASE-17439
>             Project: HBase
>          Issue Type: Improvement
>          Components: Coprocessors, security
>            Reporter: Ted Yu
>
> Here is snippet of stack trace from HBASE-17435:
> {code}
>         at 
> org.apache.hadoop.hbase.backup.BackupObserver.preCommitStoreFile(BackupObserver.java:89)
>         at 
> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$61.call(RegionCoprocessorHost.java:1494)
>         at 
> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$RegionOperation.call(RegionCoprocessorHost.java:1660)
>         at 
> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1734)
>         at 
> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1692)
>         at 
> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.preCommitStoreFile(RegionCoprocessorHost.java:1490)
>         at 
> org.apache.hadoop.hbase.regionserver.HRegion.bulkLoadHFiles(HRegion.java:5512)
>         at 
> org.apache.hadoop.hbase.security.access.SecureBulkLoadEndpoint$1.run(SecureBulkLoadEndpoint.java:293)
>         at 
> org.apache.hadoop.hbase.security.access.SecureBulkLoadEndpoint$1.run(SecureBulkLoadEndpoint.java:276)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at javax.security.auth.Subject.doAs(Subject.java:356)
>         at 
> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1704)
>         at 
> org.apache.hadoop.hbase.security.access.SecureBulkLoadEndpoint.secureBulkLoadHFiles(SecureBulkLoadEndpoint.java:276)
> {code}
> The ugi obtained from RPC on the server side does not contain required 
> Kerberos credentials to access hbase table. Hence the need to pass 
> authentication Token from region server onto the ugi
> In the course of solving HBASE-17435, [~jerryhe] and I noticed that it is 
> cumbersome for other coprocessor (such as SecureBulkLoadEndpoint) to retrieve 
> authentication Token from region server.
> Currently a Connection is needed to communicate with TokenProvider. Care is 
> needed not to introduce dead lock on the server side.
> This JIRA is to investigate feasibility of bypassing Connection / 
> TokenProvider in the retrieval of authentication Token for custom 
> coprocessor. This involves some refactoring around 
> AuthenticationTokenSecretManager.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Updated] (HBASE-17439) Make authentication Token retrieval amenable to coprocessor

Reply via email to