[
https://issues.apache.org/jira/browse/HBASE-23319?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Wang, Xinglong updated HBASE-23319:
-----------------------------------
Description:
There are 2 ways to specify JAAS for zk
1st approach is to specify in hbase-env.sh via
-Djava.security.auth.login.config=zk_client_jaas.conf
2nd approach is introduced by
https://issues.apache.org/jira/browse/HBASE-4791
However during my test, for the 2nd approach if I remove jaas related
configuration from hbase-env.sh and add the following entries required by
HBASE-4791, regionserver can not authenticate with zk successfully
{code:java}
hbase.zookeeper.client.keytab.file
hbase.zookeeper.client.kerberos.principal
{code}
I checked the code, it failed on this line
https://github.com/apache/hbase/blob/master/hbase-zookeeper/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java#L871
And this will cause the jaas login process break on
https://github.com/apache/hbase/blob/master/hbase-zookeeper/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java#L208
As a result, regionserver will not try to login from keytab in such case.
was:
There are 2 ways to specify JAAS for zk
1st approach is to specify in hbase-env.sh via
-Djava.security.auth.login.config=zk_client_jaas.conf
2nd approach is introduced by
https://issues.apache.org/jira/browse/HBASE-4791
However during my test, if I remove jaas related configuration from
hbase-env.sh and add the following entries required by HBASE-4791, regionserver
can not authenticate with zk successfully
{code:java}
hbase.zookeeper.client.keytab.file
hbase.zookeeper.client.kerberos.principal
{code}
I checked the code, it failed on this line
https://github.com/apache/hbase/blob/master/hbase-zookeeper/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java#L871
And this will cause the jaas login process break on
https://github.com/apache/hbase/blob/master/hbase-zookeeper/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java#L208
As a result, regionserver will not try to login from keytab in such case.
> ZKUtil.isSecureZooKeeper does not consider JAAS configuration set
> programmatically
> -----------------------------------------------------------------------------------
>
> Key: HBASE-23319
> URL: https://issues.apache.org/jira/browse/HBASE-23319
> Project: HBase
> Issue Type: Bug
> Reporter: Wang, Xinglong
> Assignee: Wang, Xinglong
> Priority: Minor
>
> There are 2 ways to specify JAAS for zk
> 1st approach is to specify in hbase-env.sh via
> -Djava.security.auth.login.config=zk_client_jaas.conf
> 2nd approach is introduced by
> https://issues.apache.org/jira/browse/HBASE-4791
> However during my test, for the 2nd approach if I remove jaas related
> configuration from hbase-env.sh and add the following entries required by
> HBASE-4791, regionserver can not authenticate with zk successfully
> {code:java}
> hbase.zookeeper.client.keytab.file
> hbase.zookeeper.client.kerberos.principal
> {code}
> I checked the code, it failed on this line
> https://github.com/apache/hbase/blob/master/hbase-zookeeper/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java#L871
> And this will cause the jaas login process break on
> https://github.com/apache/hbase/blob/master/hbase-zookeeper/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java#L208
> As a result, regionserver will not try to login from keytab in such case.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
