[jira] [Commented] (HBASE-13275) Setting hbase.security.authorization to false does not disable authorization when AccessController is in the coprocessor class list
[ https://issues.apache.org/jira/browse/HBASE-13275?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14370846#comment-14370846 ] Enis Soztutar commented on HBASE-13275: --- If we can default this to true, I think it is fine for 1.0 and 0.98. If the user does not set this and was instead using only the coprocessor, doing a patch update should not suddenly cause a security gap. Setting hbase.security.authorization to false does not disable authorization when AccessController is in the coprocessor class list --- Key: HBASE-13275 URL: https://issues.apache.org/jira/browse/HBASE-13275 Project: HBase Issue Type: Bug Reporter: William Watson Assignee: Andrew Purtell Fix For: 2.0.0, 1.0.1, 1.1.0, 0.98.13 According to the docs provided by Cloudera (we're not running Cloudera, BTW), this is the list of configs to enable authorization in HBase: {code} property namehbase.security.authorization/name valuetrue/value /property property namehbase.coprocessor.master.classes/name valueorg.apache.hadoop.hbase.security.access.AccessController/value /property property namehbase.coprocessor.region.classes/name valueorg.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.AccessController/value /property {code} We wanted to then disable authorization but simply setting hbase.security.authorization to false did not disable the authorization -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-13275) Setting hbase.security.authorization to false does not disable authorization when AccessController is in the coprocessor class list
[ https://issues.apache.org/jira/browse/HBASE-13275?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14371284#comment-14371284 ] William Watson commented on HBASE-13275: Should we make a new ticket for Ambari or will they update their docs when the hbase docs are updated? Setting hbase.security.authorization to false does not disable authorization when AccessController is in the coprocessor class list --- Key: HBASE-13275 URL: https://issues.apache.org/jira/browse/HBASE-13275 Project: HBase Issue Type: Bug Reporter: William Watson Assignee: Andrew Purtell Fix For: 2.0.0, 1.0.1, 1.1.0, 0.98.13 According to the docs provided by Cloudera (we're not running Cloudera, BTW), this is the list of configs to enable authorization in HBase: {code} property namehbase.security.authorization/name valuetrue/value /property property namehbase.coprocessor.master.classes/name valueorg.apache.hadoop.hbase.security.access.AccessController/value /property property namehbase.coprocessor.region.classes/name valueorg.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.AccessController/value /property {code} We wanted to then disable authorization but simply setting hbase.security.authorization to false did not disable the authorization -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-13275) Setting hbase.security.authorization to false does not disable authorization when AccessController is in the coprocessor class list
[ https://issues.apache.org/jira/browse/HBASE-13275?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14372085#comment-14372085 ] Enis Soztutar commented on HBASE-13275: --- bq. Should we make a new ticket for Ambari or will they update their docs when the hbase docs are updated? I think the plan is to fix the code to respect that config rather than remove documentation. Setting hbase.security.authorization to false does not disable authorization when AccessController is in the coprocessor class list --- Key: HBASE-13275 URL: https://issues.apache.org/jira/browse/HBASE-13275 Project: HBase Issue Type: Bug Reporter: William Watson Assignee: Andrew Purtell Fix For: 2.0.0, 1.0.1, 1.1.0, 0.98.13 According to the docs provided by Cloudera (we're not running Cloudera, BTW), this is the list of configs to enable authorization in HBase: {code} property namehbase.security.authorization/name valuetrue/value /property property namehbase.coprocessor.master.classes/name valueorg.apache.hadoop.hbase.security.access.AccessController/value /property property namehbase.coprocessor.region.classes/name valueorg.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.AccessController/value /property {code} We wanted to then disable authorization but simply setting hbase.security.authorization to false did not disable the authorization -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-13275) Setting hbase.security.authorization to false does not disable authorization when AccessController is in the coprocessor class list
[ https://issues.apache.org/jira/browse/HBASE-13275?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14368587#comment-14368587 ] stack commented on HBASE-13275: --- Backfilling is elegant soln. Yeah, do you have to set it true by default as per Lars? Setting hbase.security.authorization to false does not disable authorization when AccessController is in the coprocessor class list --- Key: HBASE-13275 URL: https://issues.apache.org/jira/browse/HBASE-13275 Project: HBase Issue Type: Bug Reporter: William Watson Assignee: Andrew Purtell Fix For: 2.0.0, 1.0.1, 1.1.0, 0.98.13 According to the docs provided by Cloudera (we're not running Cloudera, BTW), this is the list of configs to enable authorization in HBase: {code} property namehbase.security.authorization/name valuetrue/value /property property namehbase.coprocessor.master.classes/name valueorg.apache.hadoop.hbase.security.access.AccessController/value /property property namehbase.coprocessor.region.classes/name valueorg.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.AccessController/value /property {code} We wanted to then disable authorization but simply setting hbase.security.authorization to false did not disable the authorization -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-13275) Setting hbase.security.authorization to false does not disable authorization when AccessController is in the coprocessor class list
[ https://issues.apache.org/jira/browse/HBASE-13275?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14369289#comment-14369289 ] William Watson commented on HBASE-13275: I thought the docs said it defaults to false... Setting hbase.security.authorization to false does not disable authorization when AccessController is in the coprocessor class list --- Key: HBASE-13275 URL: https://issues.apache.org/jira/browse/HBASE-13275 Project: HBase Issue Type: Bug Reporter: William Watson Assignee: Andrew Purtell Fix For: 2.0.0, 1.0.1, 1.1.0, 0.98.13 According to the docs provided by Cloudera (we're not running Cloudera, BTW), this is the list of configs to enable authorization in HBase: {code} property namehbase.security.authorization/name valuetrue/value /property property namehbase.coprocessor.master.classes/name valueorg.apache.hadoop.hbase.security.access.AccessController/value /property property namehbase.coprocessor.region.classes/name valueorg.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.AccessController/value /property {code} We wanted to then disable authorization but simply setting hbase.security.authorization to false did not disable the authorization -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-13275) Setting hbase.security.authorization to false does not disable authorization when AccessController is in the coprocessor class list
[ https://issues.apache.org/jira/browse/HBASE-13275?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14369290#comment-14369290 ] William Watson commented on HBASE-13275: or to not being set at all Setting hbase.security.authorization to false does not disable authorization when AccessController is in the coprocessor class list --- Key: HBASE-13275 URL: https://issues.apache.org/jira/browse/HBASE-13275 Project: HBase Issue Type: Bug Reporter: William Watson Assignee: Andrew Purtell Fix For: 2.0.0, 1.0.1, 1.1.0, 0.98.13 According to the docs provided by Cloudera (we're not running Cloudera, BTW), this is the list of configs to enable authorization in HBase: {code} property namehbase.security.authorization/name valuetrue/value /property property namehbase.coprocessor.master.classes/name valueorg.apache.hadoop.hbase.security.access.AccessController/value /property property namehbase.coprocessor.region.classes/name valueorg.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.AccessController/value /property {code} We wanted to then disable authorization but simply setting hbase.security.authorization to false did not disable the authorization -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-13275) Setting hbase.security.authorization to false does not disable authorization when AccessController is in the coprocessor class list
[ https://issues.apache.org/jira/browse/HBASE-13275?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14369913#comment-14369913 ] Lars Hofhansl commented on HBASE-13275: --- bq. I thought the docs said it defaults to false... Then the doc is currently wrong. :) Setting hbase.security.authorization to false does not disable authorization when AccessController is in the coprocessor class list --- Key: HBASE-13275 URL: https://issues.apache.org/jira/browse/HBASE-13275 Project: HBase Issue Type: Bug Reporter: William Watson Assignee: Andrew Purtell Fix For: 2.0.0, 1.0.1, 1.1.0, 0.98.13 According to the docs provided by Cloudera (we're not running Cloudera, BTW), this is the list of configs to enable authorization in HBase: {code} property namehbase.security.authorization/name valuetrue/value /property property namehbase.coprocessor.master.classes/name valueorg.apache.hadoop.hbase.security.access.AccessController/value /property property namehbase.coprocessor.region.classes/name valueorg.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.AccessController/value /property {code} We wanted to then disable authorization but simply setting hbase.security.authorization to false did not disable the authorization -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-13275) Setting hbase.security.authorization to false does not disable authorization when AccessController is in the coprocessor class list
[ https://issues.apache.org/jira/browse/HBASE-13275?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14369938#comment-14369938 ] Andrew Purtell commented on HBASE-13275: Ok, I think we're set. I will add logic to the authorization coprocessors that respect this setting and default it to true there if the config is missing. Setting hbase.security.authorization to false does not disable authorization when AccessController is in the coprocessor class list --- Key: HBASE-13275 URL: https://issues.apache.org/jira/browse/HBASE-13275 Project: HBase Issue Type: Bug Reporter: William Watson Assignee: Andrew Purtell Fix For: 2.0.0, 1.0.1, 1.1.0, 0.98.13 According to the docs provided by Cloudera (we're not running Cloudera, BTW), this is the list of configs to enable authorization in HBase: {code} property namehbase.security.authorization/name valuetrue/value /property property namehbase.coprocessor.master.classes/name valueorg.apache.hadoop.hbase.security.access.AccessController/value /property property namehbase.coprocessor.region.classes/name valueorg.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.AccessController/value /property {code} We wanted to then disable authorization but simply setting hbase.security.authorization to false did not disable the authorization -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-13275) Setting hbase.security.authorization to false does not disable authorization when AccessController is in the coprocessor class list
[ https://issues.apache.org/jira/browse/HBASE-13275?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14369919#comment-14369919 ] William Watson commented on HBASE-13275: Carry on. :) Setting hbase.security.authorization to false does not disable authorization when AccessController is in the coprocessor class list --- Key: HBASE-13275 URL: https://issues.apache.org/jira/browse/HBASE-13275 Project: HBase Issue Type: Bug Reporter: William Watson Assignee: Andrew Purtell Fix For: 2.0.0, 1.0.1, 1.1.0, 0.98.13 According to the docs provided by Cloudera (we're not running Cloudera, BTW), this is the list of configs to enable authorization in HBase: {code} property namehbase.security.authorization/name valuetrue/value /property property namehbase.coprocessor.master.classes/name valueorg.apache.hadoop.hbase.security.access.AccessController/value /property property namehbase.coprocessor.region.classes/name valueorg.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.AccessController/value /property {code} We wanted to then disable authorization but simply setting hbase.security.authorization to false did not disable the authorization -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-13275) Setting hbase.security.authorization to false does not disable authorization when AccessController is in the coprocessor class list
[ https://issues.apache.org/jira/browse/HBASE-13275?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14368238#comment-14368238 ] Andrew Purtell commented on HBASE-13275: We'll need a companion change in the VisibilityController too. The presence or absence of the coprocessors in the system or table coprocessor list has been serving as the authorization toggle. I suppose an argument against any fix beyond documentation is there is no utility of having the coprocessors installed but inactive. Setting hbase.security.authorization to false does not disable authorization when AccessController is in the coprocessor class list --- Key: HBASE-13275 URL: https://issues.apache.org/jira/browse/HBASE-13275 Project: HBase Issue Type: Bug Reporter: William Watson Assignee: Andrew Purtell According to the docs provided by Cloudera (we're not running Cloudera, BTW), this is the list of configs to enable authorization in HBase: {code} property namehbase.security.authorization/name valuetrue/value /property property namehbase.coprocessor.master.classes/name valueorg.apache.hadoop.hbase.security.access.AccessController/value /property property namehbase.coprocessor.region.classes/name valueorg.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.AccessController/value /property {code} We wanted to then disable authorization but simply setting hbase.security.authorization to false did not disable the authorization -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-13275) Setting hbase.security.authorization to false does not disable authorization when AccessController is in the coprocessor class list
[ https://issues.apache.org/jira/browse/HBASE-13275?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14368232#comment-14368232 ] Andrew Purtell commented on HBASE-13275: How about a quick patch to the AccessController to respect that configuration setting? I can whip up something in a few minutes. Setting hbase.security.authorization to false does not disable authorization when AccessController is in the coprocessor class list --- Key: HBASE-13275 URL: https://issues.apache.org/jira/browse/HBASE-13275 Project: HBase Issue Type: Bug Reporter: William Watson According to the docs provided by Cloudera (we're not running Cloudera, BTW), this is the list of configs to enable authorization in HBase: {code} property namehbase.security.authorization/name valuetrue/value /property property namehbase.coprocessor.master.classes/name valueorg.apache.hadoop.hbase.security.access.AccessController/value /property property namehbase.coprocessor.region.classes/name valueorg.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.AccessController/value /property {code} We wanted to then disable authorization but simply setting hbase.security.authorization to false did not disable the authorization -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-13275) Setting hbase.security.authorization to false does not disable authorization when AccessController is in the coprocessor class list
[ https://issues.apache.org/jira/browse/HBASE-13275?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14368340#comment-14368340 ] William Watson commented on HBASE-13275: Thanks a bunch, in advance, for creating the patch. I was going to say that since Ambari already has this config in the UI, it might be best to actually make it do something rather than just removing it from the docs. Setting hbase.security.authorization to false does not disable authorization when AccessController is in the coprocessor class list --- Key: HBASE-13275 URL: https://issues.apache.org/jira/browse/HBASE-13275 Project: HBase Issue Type: Bug Reporter: William Watson Assignee: Andrew Purtell According to the docs provided by Cloudera (we're not running Cloudera, BTW), this is the list of configs to enable authorization in HBase: {code} property namehbase.security.authorization/name valuetrue/value /property property namehbase.coprocessor.master.classes/name valueorg.apache.hadoop.hbase.security.access.AccessController/value /property property namehbase.coprocessor.region.classes/name valueorg.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.AccessController/value /property {code} We wanted to then disable authorization but simply setting hbase.security.authorization to false did not disable the authorization -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-13275) Setting hbase.security.authorization to false does not disable authorization when AccessController is in the coprocessor class list
[ https://issues.apache.org/jira/browse/HBASE-13275?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14368474#comment-14368474 ] Misty Stanley-Jones commented on HBASE-13275: - So am I removing it or are you adding the functionality, [~andrew.purt...@gmail.com]? Setting hbase.security.authorization to false does not disable authorization when AccessController is in the coprocessor class list --- Key: HBASE-13275 URL: https://issues.apache.org/jira/browse/HBASE-13275 Project: HBase Issue Type: Bug Reporter: William Watson Assignee: Andrew Purtell According to the docs provided by Cloudera (we're not running Cloudera, BTW), this is the list of configs to enable authorization in HBase: {code} property namehbase.security.authorization/name valuetrue/value /property property namehbase.coprocessor.master.classes/name valueorg.apache.hadoop.hbase.security.access.AccessController/value /property property namehbase.coprocessor.region.classes/name valueorg.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.AccessController/value /property {code} We wanted to then disable authorization but simply setting hbase.security.authorization to false did not disable the authorization -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-13275) Setting hbase.security.authorization to false does not disable authorization when AccessController is in the coprocessor class list
[ https://issues.apache.org/jira/browse/HBASE-13275?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14368504#comment-14368504 ] Andrew Purtell commented on HBASE-13275: bq. are you adding the functionality I've left it up for discussion at the moment [~misty] . I'm leaning toward having the coprocessors recognize when hbase.security.authorization is not present. Setting hbase.security.authorization to false does not disable authorization when AccessController is in the coprocessor class list --- Key: HBASE-13275 URL: https://issues.apache.org/jira/browse/HBASE-13275 Project: HBase Issue Type: Bug Reporter: William Watson Assignee: Andrew Purtell According to the docs provided by Cloudera (we're not running Cloudera, BTW), this is the list of configs to enable authorization in HBase: {code} property namehbase.security.authorization/name valuetrue/value /property property namehbase.coprocessor.master.classes/name valueorg.apache.hadoop.hbase.security.access.AccessController/value /property property namehbase.coprocessor.region.classes/name valueorg.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.AccessController/value /property {code} We wanted to then disable authorization but simply setting hbase.security.authorization to false did not disable the authorization -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-13275) Setting hbase.security.authorization to false does not disable authorization when AccessController is in the coprocessor class list
[ https://issues.apache.org/jira/browse/HBASE-13275?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14368555#comment-14368555 ] Lars Hofhansl commented on HBASE-13275: --- Hmm... If we want the minimum disruption we could honor the flag now, but default it do true. Would that work? Setting hbase.security.authorization to false does not disable authorization when AccessController is in the coprocessor class list --- Key: HBASE-13275 URL: https://issues.apache.org/jira/browse/HBASE-13275 Project: HBase Issue Type: Bug Reporter: William Watson Assignee: Andrew Purtell Fix For: 2.0.0, 1.0.1, 1.1.0, 0.98.13 According to the docs provided by Cloudera (we're not running Cloudera, BTW), this is the list of configs to enable authorization in HBase: {code} property namehbase.security.authorization/name valuetrue/value /property property namehbase.coprocessor.master.classes/name valueorg.apache.hadoop.hbase.security.access.AccessController/value /property property namehbase.coprocessor.region.classes/name valueorg.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.AccessController/value /property {code} We wanted to then disable authorization but simply setting hbase.security.authorization to false did not disable the authorization -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-13275) Setting hbase.security.authorization to false does not disable authorization when AccessController is in the coprocessor class list
[ https://issues.apache.org/jira/browse/HBASE-13275?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14367763#comment-14367763 ] Matteo Bertozzi commented on HBASE-13275: - [~misty] looks like we have that hbase.security.authorization in the docs, but code side doesn't seems to be used anywhere. so for now, I'd say just remove it from the doc until we implement that. (src/main/asciidoc/_chapters/security.adoc) Setting hbase.security.authorization to false does not disable authorization when AccessController is in the coprocessor class list --- Key: HBASE-13275 URL: https://issues.apache.org/jira/browse/HBASE-13275 Project: HBase Issue Type: Bug Reporter: William Watson According to the docs provided by Cloudera (we're not running Cloudera, BTW), this is the list of configs to enable authorization in HBase: {code} property namehbase.security.authorization/name valuetrue/value /property property namehbase.coprocessor.master.classes/name valueorg.apache.hadoop.hbase.security.access.AccessController/value /property property namehbase.coprocessor.region.classes/name valueorg.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.AccessController/value /property {code} We wanted to then disable authorization but simply setting hbase.security.authorization to false did not disable the authorization -- This message was sent by Atlassian JIRA (v6.3.4#6332)