[jira] [Commented] (HBASE-14579) Users authenticated with KERBEROS are recorded as being authenticated with SIMPLE
[
https://issues.apache.org/jira/browse/HBASE-14579?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14982571#comment-14982571
]
Nicolas Liochon commented on HBASE-14579:
-
> Does this also happen for users authenticated with authentication tokens
> ("auth:SIMPLE" instead of "auth:TOKEN" or "auth:DIGEST")?
For digest, I tink it's ok, the code is RpcServer is
{code}
private UserGroupInformation getAuthorizedUgi(String authorizedId) throws
IOException {
if(this.authMethod == AuthMethod.DIGEST) {
TokenIdentifier tokenId =
HBaseSaslRpcServer.getIdentifier(authorizedId, RpcServer.this.secretManager);
UserGroupInformation ugi = tokenId.getUser();
if(ugi == null) {
throw new AccessDeniedException("Can\'t retrieve username from
tokenIdentifier.");
} else {
ugi.addTokenIdentifier(tokenId);
return ugi;
}
} else {
return UserGroupInformation.createRemoteUser(authorizedId);
< auth method replaced by "SIMPLE"
}
}
{code}
> The latest patch (v3) for HBASE-14700 contains a fix for the UGI auth method
> logged. Please take a look there if you have a chance.
Looking...
> Users authenticated with KERBEROS are recorded as being authenticated with
> SIMPLE
> -
>
> Key: HBASE-14579
> URL: https://issues.apache.org/jira/browse/HBASE-14579
> Project: HBase
> Issue Type: Bug
> Components: security
>Affects Versions: 1.0.0, 1.2.0, 0.98.15
>Reporter: Nicolas Liochon
>Assignee: Nicolas Liochon
>Priority: Minor
> Fix For: 2.0.0
>
> Attachments: hbase-14579.patch
>
>
> That's the HBase version of HADOOP-10683.
> We see:
> ??hbase.Server (RpcServer.java:saslReadAndProcess(1446)) - Auth successful
> for securedUser/localh...@example.com (auth:SIMPLE)??
> while we would like to see:
> ??hbase.Server (RpcServer.java:saslReadAndProcess(1446)) - Auth successful
> for securedUser/localh...@example.com (auth:KERBEROS)??
> The fix is simple, but it means we need hadoop 2.5+.
> There is also a lot of cases where HBase calls "createUser" w/o specifying
> the authentication method... I don"'t have the solution for these ones.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (HBASE-14579) Users authenticated with KERBEROS are recorded as being authenticated with SIMPLE
[
https://issues.apache.org/jira/browse/HBASE-14579?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14979374#comment-14979374
]
Gary Helmling commented on HBASE-14579:
---
Does this also happen for users authenticated with authentication tokens
("auth:SIMPLE" instead of "auth:TOKEN" or "auth:DIGEST")? Over in HBASE-14700,
I'm looking at a related change to the audit log for authenticated users.
> Users authenticated with KERBEROS are recorded as being authenticated with
> SIMPLE
> -
>
> Key: HBASE-14579
> URL: https://issues.apache.org/jira/browse/HBASE-14579
> Project: HBase
> Issue Type: Bug
> Components: security
>Affects Versions: 1.0.0, 1.2.0, 0.98.15
>Reporter: Nicolas Liochon
>Assignee: Nicolas Liochon
>Priority: Minor
> Fix For: 2.0.0
>
> Attachments: hbase-14579.patch
>
>
> That's the HBase version of HADOOP-10683.
> We see:
> ??hbase.Server (RpcServer.java:saslReadAndProcess(1446)) - Auth successful
> for securedUser/localh...@example.com (auth:SIMPLE)??
> while we would like to see:
> ??hbase.Server (RpcServer.java:saslReadAndProcess(1446)) - Auth successful
> for securedUser/localh...@example.com (auth:KERBEROS)??
> The fix is simple, but it means we need hadoop 2.5+.
> There is also a lot of cases where HBase calls "createUser" w/o specifying
> the authentication method... I don"'t have the solution for these ones.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (HBASE-14579) Users authenticated with KERBEROS are recorded as being authenticated with SIMPLE
[ https://issues.apache.org/jira/browse/HBASE-14579?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14979590#comment-14979590 ] Gary Helmling commented on HBASE-14579: --- The latest patch (v3) for HBASE-14700 contains a fix for the UGI auth method logged. Please take a look there if you have a chance. > Users authenticated with KERBEROS are recorded as being authenticated with > SIMPLE > - > > Key: HBASE-14579 > URL: https://issues.apache.org/jira/browse/HBASE-14579 > Project: HBase > Issue Type: Bug > Components: security >Affects Versions: 1.0.0, 1.2.0, 0.98.15 >Reporter: Nicolas Liochon >Assignee: Nicolas Liochon >Priority: Minor > Fix For: 2.0.0 > > Attachments: hbase-14579.patch > > > That's the HBase version of HADOOP-10683. > We see: > ??hbase.Server (RpcServer.java:saslReadAndProcess(1446)) - Auth successful > for securedUser/localh...@example.com (auth:SIMPLE)?? > while we would like to see: > ??hbase.Server (RpcServer.java:saslReadAndProcess(1446)) - Auth successful > for securedUser/localh...@example.com (auth:KERBEROS)?? > The fix is simple, but it means we need hadoop 2.5+. > There is also a lot of cases where HBase calls "createUser" w/o specifying > the authentication method... I don"'t have the solution for these ones. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-14579) Users authenticated with KERBEROS are recorded as being authenticated with SIMPLE
[ https://issues.apache.org/jira/browse/HBASE-14579?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14954636#comment-14954636 ] Nicolas Liochon commented on HBASE-14579: - Thanks Stack, yes, it would be great. I could change the script, but I can't easily test it right now. > Users authenticated with KERBEROS are recorded as being authenticated with > SIMPLE > - > > Key: HBASE-14579 > URL: https://issues.apache.org/jira/browse/HBASE-14579 > Project: HBase > Issue Type: Bug > Components: security >Affects Versions: 1.0.0, 1.2.0, 0.98.15 >Reporter: Nicolas Liochon >Assignee: Nicolas Liochon >Priority: Minor > Fix For: 2.0.0 > > Attachments: hbase-14579.patch > > > That's the HBase version of HADOOP-10683. > We see: > ??hbase.Server (RpcServer.java:saslReadAndProcess(1446)) - Auth successful > for securedUser/localh...@example.com (auth:SIMPLE)?? > while we would like to see: > ??hbase.Server (RpcServer.java:saslReadAndProcess(1446)) - Auth successful > for securedUser/localh...@example.com (auth:KERBEROS)?? > The fix is simple, but it means we need hadoop 2.5+. > There is also a lot of cases where HBase calls "createUser" w/o specifying > the authentication method... I don"'t have the solution for these ones. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-14579) Users authenticated with KERBEROS are recorded as being authenticated with SIMPLE
[ https://issues.apache.org/jira/browse/HBASE-14579?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14953638#comment-14953638 ] stack commented on HBASE-14579: --- I think test-patch is used for all builds. So, we should pass in this string as an argument instead and then have jenkins set it per build? i.e. for master, we'd drop the 2.4? Yeah, need to update the book matrix too. > Users authenticated with KERBEROS are recorded as being authenticated with > SIMPLE > - > > Key: HBASE-14579 > URL: https://issues.apache.org/jira/browse/HBASE-14579 > Project: HBase > Issue Type: Bug > Components: security >Affects Versions: 1.0.0, 1.2.0, 0.98.15 >Reporter: Nicolas Liochon >Assignee: Nicolas Liochon >Priority: Minor > Fix For: 2.0.0 > > Attachments: hbase-14579.patch > > > That's the HBase version of HADOOP-10683. > We see: > ??hbase.Server (RpcServer.java:saslReadAndProcess(1446)) - Auth successful > for securedUser/localh...@example.com (auth:SIMPLE)?? > while we would like to see: > ??hbase.Server (RpcServer.java:saslReadAndProcess(1446)) - Auth successful > for securedUser/localh...@example.com (auth:KERBEROS)?? > The fix is simple, but it means we need hadoop 2.5+. > There is also a lot of cases where HBase calls "createUser" w/o specifying > the authentication method... I don"'t have the solution for these ones. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-14579) Users authenticated with KERBEROS are recorded as being authenticated with SIMPLE
[ https://issues.apache.org/jira/browse/HBASE-14579?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14953639#comment-14953639 ] stack commented on HBASE-14579: --- I can do this for you if you want [~nkeywal]? Let me know. > Users authenticated with KERBEROS are recorded as being authenticated with > SIMPLE > - > > Key: HBASE-14579 > URL: https://issues.apache.org/jira/browse/HBASE-14579 > Project: HBase > Issue Type: Bug > Components: security >Affects Versions: 1.0.0, 1.2.0, 0.98.15 >Reporter: Nicolas Liochon >Assignee: Nicolas Liochon >Priority: Minor > Fix For: 2.0.0 > > Attachments: hbase-14579.patch > > > That's the HBase version of HADOOP-10683. > We see: > ??hbase.Server (RpcServer.java:saslReadAndProcess(1446)) - Auth successful > for securedUser/localh...@example.com (auth:SIMPLE)?? > while we would like to see: > ??hbase.Server (RpcServer.java:saslReadAndProcess(1446)) - Auth successful > for securedUser/localh...@example.com (auth:KERBEROS)?? > The fix is simple, but it means we need hadoop 2.5+. > There is also a lot of cases where HBase calls "createUser" w/o specifying > the authentication method... I don"'t have the solution for these ones. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-14579) Users authenticated with KERBEROS are recorded as being authenticated with SIMPLE
[
https://issues.apache.org/jira/browse/HBASE-14579?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14952250#comment-14952250
]
Nicolas Liochon commented on HBASE-14579:
-
I'm not sure I understand correctly the test patch script. Can I just change
the property
{code}
# All supported Hadoop versions that we want to test the compilation with
HADOOP2_VERSIONS="2.4.0 2.4.1 2.5.0 2.5.1 2.5.2 2.6.0 2.6.1 2.7.0 2.7.1"
{code}
to
{code}
HADOOP2_VERSIONS="2.5.0 2.5.1 2.5.2 2.6.0 2.6.1 2.7.0 2.7.1"
{code}
Or is there is a risk to hide a problem a patch could cause to the 0.98 release
(and even the 0.94)?
We will need to update the matrix in the hbase book as well...
> Users authenticated with KERBEROS are recorded as being authenticated with
> SIMPLE
> -
>
> Key: HBASE-14579
> URL: https://issues.apache.org/jira/browse/HBASE-14579
> Project: HBase
> Issue Type: Bug
> Components: security
>Affects Versions: 1.0.0, 1.2.0, 0.98.15
>Reporter: Nicolas Liochon
>Assignee: Nicolas Liochon
>Priority: Minor
> Fix For: 2.0.0
>
> Attachments: hbase-14579.patch
>
>
> That's the HBase version of HADOOP-10683.
> We see:
> ??hbase.Server (RpcServer.java:saslReadAndProcess(1446)) - Auth successful
> for securedUser/localh...@example.com (auth:SIMPLE)??
> while we would like to see:
> ??hbase.Server (RpcServer.java:saslReadAndProcess(1446)) - Auth successful
> for securedUser/localh...@example.com (auth:KERBEROS)??
> The fix is simple, but it means we need hadoop 2.5+.
> There is also a lot of cases where HBase calls "createUser" w/o specifying
> the authentication method... I don"'t have the solution for these ones.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (HBASE-14579) Users authenticated with KERBEROS are recorded as being authenticated with SIMPLE
[ https://issues.apache.org/jira/browse/HBASE-14579?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14951338#comment-14951338 ] stack commented on HBASE-14579: --- bq. Yes. Is that an issue for the 2.0 branch? I'd say it would be fine to drop 2.4 hadoop for 2.0 hbase. > Users authenticated with KERBEROS are recorded as being authenticated with > SIMPLE > - > > Key: HBASE-14579 > URL: https://issues.apache.org/jira/browse/HBASE-14579 > Project: HBase > Issue Type: Bug > Components: security >Affects Versions: 1.0.0, 1.2.0, 0.98.15 >Reporter: Nicolas Liochon >Assignee: Nicolas Liochon >Priority: Minor > Fix For: 2.0.0 > > Attachments: hbase-14579.patch > > > That's the HBase version of HADOOP-10683. > We see: > ??hbase.Server (RpcServer.java:saslReadAndProcess(1446)) - Auth successful > for securedUser/localh...@example.com (auth:SIMPLE)?? > while we would like to see: > ??hbase.Server (RpcServer.java:saslReadAndProcess(1446)) - Auth successful > for securedUser/localh...@example.com (auth:KERBEROS)?? > The fix is simple, but it means we need hadoop 2.5+. > There is also a lot of cases where HBase calls "createUser" w/o specifying > the authentication method... I don"'t have the solution for these ones. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-14579) Users authenticated with KERBEROS are recorded as being authenticated with SIMPLE
[ https://issues.apache.org/jira/browse/HBASE-14579?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14951609#comment-14951609 ] Andrew Purtell commented on HBASE-14579: +1, I think we're already saying people should use 2.6.1 or later with 1.x. > Users authenticated with KERBEROS are recorded as being authenticated with > SIMPLE > - > > Key: HBASE-14579 > URL: https://issues.apache.org/jira/browse/HBASE-14579 > Project: HBase > Issue Type: Bug > Components: security >Affects Versions: 1.0.0, 1.2.0, 0.98.15 >Reporter: Nicolas Liochon >Assignee: Nicolas Liochon >Priority: Minor > Fix For: 2.0.0 > > Attachments: hbase-14579.patch > > > That's the HBase version of HADOOP-10683. > We see: > ??hbase.Server (RpcServer.java:saslReadAndProcess(1446)) - Auth successful > for securedUser/localh...@example.com (auth:SIMPLE)?? > while we would like to see: > ??hbase.Server (RpcServer.java:saslReadAndProcess(1446)) - Auth successful > for securedUser/localh...@example.com (auth:KERBEROS)?? > The fix is simple, but it means we need hadoop 2.5+. > There is also a lot of cases where HBase calls "createUser" w/o specifying > the authentication method... I don"'t have the solution for these ones. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-14579) Users authenticated with KERBEROS are recorded as being authenticated with SIMPLE
[ https://issues.apache.org/jira/browse/HBASE-14579?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14948684#comment-14948684 ] Nicolas Liochon commented on HBASE-14579: - > The patch appears to cause mvn compile goal to fail with Hadoop version 2.4.0. Yes. Is that an issue for the 2.0 branch? > Users authenticated with KERBEROS are recorded as being authenticated with > SIMPLE > - > > Key: HBASE-14579 > URL: https://issues.apache.org/jira/browse/HBASE-14579 > Project: HBase > Issue Type: Bug > Components: security >Affects Versions: 1.0.0, 1.2.0, 0.98.15 >Reporter: Nicolas Liochon >Assignee: Nicolas Liochon >Priority: Minor > Fix For: 2.0.0 > > Attachments: hbase-14579.patch > > > That's the HBase version of HADOOP-10683. > We see: > ??hbase.Server (RpcServer.java:saslReadAndProcess(1446)) - Auth successful > for securedUser/localh...@example.com (auth:SIMPLE)?? > while we would like to see: > ??hbase.Server (RpcServer.java:saslReadAndProcess(1446)) - Auth successful > for securedUser/localh...@example.com (auth:KERBEROS)?? > The fix is simple, but it means we need hadoop 2.5+. > There is also a lot of cases where HBase calls "createUser" w/o specifying > the authentication method... I don"'t have the solution for these ones. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-14579) Users authenticated with KERBEROS are recorded as being authenticated with SIMPLE
[
https://issues.apache.org/jira/browse/HBASE-14579?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14948679#comment-14948679
]
Hadoop QA commented on HBASE-14579:
---
{color:red}-1 overall{color}. Here are the results of testing the latest
attachment
http://issues.apache.org/jira/secure/attachment/12765589/hbase-14579.patch
against master branch at commit 7e30436e3fa84525b85b05b9e23cb01b2ada7c12.
ATTACHMENT ID: 12765589
{color:green}+1 @author{color}. The patch does not contain any @author
tags.
{color:red}-1 tests included{color}. The patch doesn't appear to include
any new or modified tests.
Please justify why no new tests are needed for this
patch.
Also please list what manual steps were performed to
verify this patch.
{color:red}-1 javac{color}. The patch appears to cause mvn compile goal to
fail with Hadoop version 2.4.0.
Compilation errors resume:
[ERROR] COMPILATION ERROR :
[ERROR]
/home/jenkins/jenkins-slave/workspace/PreCommit-HBASE-Build/hbase/hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/RpcServer.java:[1342,36]
method createRemoteUser in class
org.apache.hadoop.security.UserGroupInformation cannot be applied to given
types;
[ERROR] Failed to execute goal
org.apache.maven.plugins:maven-compiler-plugin:3.2:compile (default-compile) on
project hbase-server: Compilation failure
[ERROR]
/home/jenkins/jenkins-slave/workspace/PreCommit-HBASE-Build/hbase/hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/RpcServer.java:[1342,36]
method createRemoteUser in class
org.apache.hadoop.security.UserGroupInformation cannot be applied to given
types;
[ERROR] required: java.lang.String
[ERROR] found:
java.lang.String,org.apache.hadoop.security.SaslRpcServer.AuthMethod
[ERROR] reason: actual and formal argument lists differ in length
[ERROR] -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e
switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please
read the following articles:
[ERROR] [Help 1]
http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException
[ERROR]
[ERROR] After correcting the problems, you can resume the build with the command
[ERROR] mvn -rf :hbase-server
Console output:
https://builds.apache.org/job/PreCommit-HBASE-Build/15915//console
This message is automatically generated.
> Users authenticated with KERBEROS are recorded as being authenticated with
> SIMPLE
> -
>
> Key: HBASE-14579
> URL: https://issues.apache.org/jira/browse/HBASE-14579
> Project: HBase
> Issue Type: Bug
> Components: security
>Affects Versions: 1.0.0, 1.2.0, 0.98.15
>Reporter: Nicolas Liochon
>Assignee: Nicolas Liochon
>Priority: Minor
> Fix For: 2.0.0
>
> Attachments: hbase-14579.patch
>
>
> That's the HBase version of HADOOP-10683.
> We see:
> ??hbase.Server (RpcServer.java:saslReadAndProcess(1446)) - Auth successful
> for securedUser/localh...@example.com (auth:SIMPLE)??
> while we would like to see:
> ??hbase.Server (RpcServer.java:saslReadAndProcess(1446)) - Auth successful
> for securedUser/localh...@example.com (auth:KERBEROS)??
> The fix is simple, but it means we need hadoop 2.5+.
> There is also a lot of cases where HBase calls "createUser" w/o specifying
> the authentication method... I don"'t have the solution for these ones.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
