[
https://issues.apache.org/jira/browse/HBASE-17439?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15816875#comment-15816875
]
Gary Helmling commented on HBASE-17439:
---------------------------------------
Why does HRegion.bulkLoadHFiles() need to run as the end user? What is
BackupObserver.preCommitStoreFile() doing and why does it need an auth token?
Is it doing a remote call?
> Make authentication Token retrieval amenable to coprocessor
> -----------------------------------------------------------
>
> Key: HBASE-17439
> URL: https://issues.apache.org/jira/browse/HBASE-17439
> Project: HBase
> Issue Type: Improvement
> Components: Coprocessors, security
> Reporter: Ted Yu
>
> Here is snippet of stack trace from HBASE-17435:
> {code}
> at
> org.apache.hadoop.hbase.backup.BackupObserver.preCommitStoreFile(BackupObserver.java:89)
> at
> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$61.call(RegionCoprocessorHost.java:1494)
> at
> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost$RegionOperation.call(RegionCoprocessorHost.java:1660)
> at
> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1734)
> at
> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.execOperation(RegionCoprocessorHost.java:1692)
> at
> org.apache.hadoop.hbase.regionserver.RegionCoprocessorHost.preCommitStoreFile(RegionCoprocessorHost.java:1490)
> at
> org.apache.hadoop.hbase.regionserver.HRegion.bulkLoadHFiles(HRegion.java:5512)
> at
> org.apache.hadoop.hbase.security.access.SecureBulkLoadEndpoint$1.run(SecureBulkLoadEndpoint.java:293)
> at
> org.apache.hadoop.hbase.security.access.SecureBulkLoadEndpoint$1.run(SecureBulkLoadEndpoint.java:276)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAs(Subject.java:356)
> at
> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1704)
> at
> org.apache.hadoop.hbase.security.access.SecureBulkLoadEndpoint.secureBulkLoadHFiles(SecureBulkLoadEndpoint.java:276)
> {code}
> The ugi obtained from RPC on the server side does not contain required
> Kerberos credentials to access hbase table. Hence the need to pass
> authentication Token from region server onto the ugi
> In the course of solving HBASE-17435, [~jerryhe] and I noticed that it is
> cumbersome for other coprocessor (such as SecureBulkLoadEndpoint) to retrieve
> authentication Token from region server.
> Currently a Connection is needed to communicate with TokenProvider. Care is
> needed not to introduce dead lock on the server side.
> This JIRA is to investigate feasibility of bypassing Connection /
> TokenProvider in the retrieval of authentication Token for custom
> coprocessor. This involves some refactoring around
> AuthenticationTokenSecretManager.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
