[
https://issues.apache.org/jira/browse/HBASE-7623?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13557527#comment-13557527
]
Gary Helmling commented on HBASE-7623:
--------------------------------------
Okay, my concern was more that this might be a temporary condition where the
user is not initially available but then could be available later, potentially
indicating a deeper problem, rather than running in an environment with no
user. Is there a more specific exception to handle in the Windows case?
>From what I can see, if hadoop.security.authorization is set to "true", even
>with simple auth, we may get an NPE server side when we call down to
>{{ServiceAuthorizationManager.authorize()}} if the user is null.
We could modify {{HBaseServer.authorize()}} to do something like the following:
{code:java}
if (authorize) {
+ if (user == null) {
+ // when configured for authorization, some username is required
+ throw new AuthorizationException("Unable to authorize, no user is
associated with connection");
+ }
Class<?> protocol = null;
try {
protocol = getProtocolClass(connection.getProtocol(), getConf());
} catch (ClassNotFoundException cfne) {
throw new AuthorizationException("Unknown protocol: " +
connection.getProtocol());
}
- authManager.authorize(user != null ? user : null,
- protocol, getConf(), addr);
+ authManager.authorize(user, protocol, getConf(), addr);
}
{code}
It seems like the right approach that a user is required if we're configured to
do authorization. The second change is just a cleanup since the conditional
does nothing in that case.
If we're not configured to do authorization and only doing simple auth, then a
null user looks to be okay.
> Username is not available for HConnectionManager to use in HConnectionKey
> -------------------------------------------------------------------------
>
> Key: HBASE-7623
> URL: https://issues.apache.org/jira/browse/HBASE-7623
> Project: HBase
> Issue Type: Improvement
> Components: Client, security
> Reporter: Jimmy Xiang
> Assignee: Jimmy Xiang
> Priority: Minor
> Attachments: trunk-7623.patch
>
>
> Sometimes, some non-IOException prevents User.getCurrent() to get a username.
> It makes it impossible to create a HConnection. We should catch all
> exception here:
> {noformat}
> try {
> User currentUser = User.getCurrent();
> if (currentUser != null) {
> username = currentUser.getName();
> }
> } catch (IOException ioe) {
> LOG.warn("Error obtaining current user, skipping username in
> HConnectionKey",
> ioe);
> }
> {noformat}
> Not just IOException, so that client can move forward.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
