[jira] [Commented] (HBASE-28316) Add BootstrapNodeService handlers

Wed, 17 Jan 2024 03:27:59 -0800 


    [ 
https://issues.apache.org/jira/browse/HBASE-28316?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17807698#comment-17807698
 ] 

Duo Zhang commented on HBASE-28316:
-----------------------------------

When implementing, I found a big problem that, in HBase, actually we do not 
allow master and region server uses different principal username if kerberos is 
enabled...

The problem is that, we will register a service and its principla pattern in 
SecurityInfo, and when connecting, we will use the pattern to construct the 
server principal. So for a single service, we can only have one principal 
pattern, either 'hbase.master.kerberos.principal', or 
'hbase.regionserver.kerberos.principal'.

But for AdminService and ClientMetaService, both master and region server 
implement the interface, so if you use different principals for master and 
region server, then either the client can not connect to master, or the client 
can not connect to region server...

For AdminService, seems it only affects MOB related features as we need to go 
to master for querying the region info.
For ClientMetaService, we have already released HBASE-26150 in 2.5.0 and it is 
also very important to reduce the load for master, which is a bit troublesome...

Anyway, let me fix the problem here first, and add a release note to document 
that if you enable kerberos and want to use different principals for master and 
region server, please use ZKConnectionRegistry for now...

> Add BootstrapNodeService handlers
> ---------------------------------
>
>                 Key: HBASE-28316
>                 URL: https://issues.apache.org/jira/browse/HBASE-28316
>             Project: HBase
>          Issue Type: Sub-task
>    Affects Versions: 2.6.0, 3.0.0-beta-1
>            Reporter: Bryan Beaudreault
>            Assignee: Duo Zhang
>            Priority: Blocker
>
> We added calls to a BootstrapNodeService, but the servers are not setup to 
> serve it. We need to add in two places:
>  * RSRPCServices list of services: 
> [https://github.com/apache/hbase/blob/master/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/RSRpcServices.java#L1447]
>  * HBasePolicyProvider mapping of acl to service: 
> [https://github.com/apache/hbase/blob/master/hbase-server/src/main/java/org/apache/hadoop/hbase/security/HBasePolicyProvider.java#L40]
> Without adding to these two places, you first see UnknownServiceExceptions 
> and then you see AccessDeniedExceptions
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to