[jira] [Comment Edited] (HBASE-17860) Implement secure native client connection
[
https://issues.apache.org/jira/browse/HBASE-17860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15955999#comment-15955999
]
Ted Yu edited comment on HBASE-17860 at 4/5/17 5:31 PM:
[~eclark] was asking why not casting the callback methods.
I answered on RB but the compilation errors are not properly formatted.
However, the assignment of callback functions triggers the following
compilation errors:
{code}
connection/connection-factory.cc:164:22: error: reinterpret_cast from 'int
(SaslHandler::*)(void *, int, const char *)' to 'sasl_callback_ft' (aka 'int
(*)()') is not allowed
callback->proc = reinterpret_cast
(::SaslLogFn);
^~~~
connection/connection-factory.cc:169:22: error: cannot cast from type 'int
(SaslHandler::*)(void *, const char **)' to pointer type 'sasl_callback_ft'
(aka 'int (*)()')
callback->proc = (sasl_callback_ft) ::GetPluginPath;
^~
connection/connection-factory.cc:175:22: error: cannot cast from type 'int
(SaslHandler::*)(void *, int, const char **, unsigned int *)' to pointer type
'sasl_callback_ft' (aka 'int (*)()')
callback->proc = (sasl_callback_ft) ::Simple;
{code}
I also tried other cast's which resulted in other compilation errors.
was (Author: yuzhih...@gmail.com):
[~eclark] was asking why not casting the callback methods.
I answered on RB but the compilation errors are not properly formatted.
However, the assignment of callback functions triggers the following
compilation errors:
{code}
connection/connection-factory.cc:164:22: error: reinterpret_cast from 'int
(SaslHandler::*)(void *, int, const char *)' to 'sasl_callback_ft' (aka 'int
(*)()') is not allowed
callback->proc = reinterpret_cast
(::SaslLogFn);
^~~~
connection/connection-factory.cc:169:22: error: cannot cast from type 'int
(SaslHandler::*)(void *, const char **)' to pointer type 'sasl_callback_ft'
(aka 'int (*)()')
callback->proc = (sasl_callback_ft) ::GetPluginPath;
^~
connection/connection-factory.cc:175:22: error: cannot cast from type 'int
(SaslHandler::*)(void *, int, const char **, unsigned int *)' to pointer type
'sasl_callback_ft' (aka 'int (*)()')
callback->proc = (sasl_callback_ft) ::Simple;
{code}
> Implement secure native client connection
> -
>
> Key: HBASE-17860
> URL: https://issues.apache.org/jira/browse/HBASE-17860
> Project: HBase
> Issue Type: Sub-task
>Reporter: Ted Yu
>Assignee: Ted Yu
>Priority: Critical
> Attachments: 17860.v2.txt, 17860.v3.txt, 17860.v4.txt
>
>
> So far, the native client communicates with insecure cluster.
> This JIRA is to add secure connection support for native client using Cyrus
> library.
> The work is based on earlier implementation and is redone via wangle and
> folly frameworks.
> Thanks to [~devaraj] who started the initiative.
> Here is high level description of the design:
> * SaslHandler is declared as:
> {code}
> class SaslHandler
> : public wangle::HandlerAdapter std::unique_ptr>{
> {code}
> It would be inserted between EventBaseHandler and
> LengthFieldBasedFrameDecoder in the pipeline (via
> ConnectionFactory::Connect())
> * SaslHandler would intercept writes to server by buffering the IOBuf's and
> start the handshake process (via sasl_client_XX calls provided by Cyrus)
> * after handshake is complete, SaslHandler would send the buffered IOBuf's to
> server and act as pass-thru from then on
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
[jira] [Comment Edited] (HBASE-17860) Implement secure native client connection
[
https://issues.apache.org/jira/browse/HBASE-17860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15951593#comment-15951593
]
Ted Yu edited comment on HBASE-17860 at 3/31/17 10:19 PM:
--
Here is brief procedure for testing:
* install cyrus-sasl-2.1.26 on docker vm and export CYRUS_SASL_PLUGINS_DIR
pointing to the directory where sasl library resides
* follow this link to install kerberos packages:
https://help.ubuntu.com/lts/serverguide/kerberos.html
* follow this link to configure KDC:
https://www.rootusers.com/how-to-configure-linux-to-authenticate-using-kerberos/
* generate hbase-host.keytab for server (and optionally hbase.keytab for user,
if you don't want to type password)
* run kinit with the keytab for user "hbase", or by providing password to kinit
* apply the patch which sets necessary config in conf/hbase-site.xml
* run bin/start-hbase.sh to start hbase server
* use hbase shell to create table (test would populate the table with)
{code}
test1 column=d:1,
timestamp=1490984371943, value=value1
test1 column=d:extra,
timestamp=1490984371949, value=value for extra
test2 column=d:2,
timestamp=1490831145321, value=value2
test2 column=d:extra,
timestamp=1490831219721, value=value for extra
{code}
* run the following command and verify that ClientTest.PutGet passes:
buck test //core:client-test --no-results-cache
was (Author: yuzhih...@gmail.com):
Here is brief procedure for testing:
* install cyrus-sasl-2.1.26 on docker vm and export CYRUS_SASL_PLUGINS_DIR
pointing to the directory where sasl library resides
* follow this link to install kerberos packages:
https://help.ubuntu.com/lts/serverguide/kerberos.html
* follow this link to configure KDC:
https://www.rootusers.com/how-to-configure-linux-to-authenticate-using-kerberos/
* generate hbase-host.keytab for server (and optionally hbase.keytab for user,
if you don't want to type password)
* run kinit with the keytab for user "hbase", or by providing password to kinit
* apply the patch which sets necessary config in conf/hbase-site.xml
* run bin/start-hbase.sh to start hbase server
* use hbase shell to create table (test would populate the table with:)
{code}
test1 column=d:1,
timestamp=1490984371943, value=value1
test1 column=d:extra,
timestamp=1490984371949, value=value for extra
test2 column=d:2,
timestamp=1490831145321, value=value2
test2 column=d:extra,
timestamp=1490831219721, value=value for extra
{code}
* run the following command and verify that ClientTest.PutGet passes:
buck test //core:client-test --no-results-cache
> Implement secure native client connection
> -
>
> Key: HBASE-17860
> URL: https://issues.apache.org/jira/browse/HBASE-17860
> Project: HBase
> Issue Type: Sub-task
>Reporter: Ted Yu
>Assignee: Ted Yu
>Priority: Critical
>
> So far, the native client communicates with insecure cluster.
> This JIRA is to add secure connection support for native client using Cyrus
> library.
> The work is based on earlier implementation and is redone via wangle and
> folly frameworks.
> Thanks to [~devaraj] who started the initiative.
> Here is high level description of the design:
> * SaslHandler is declared as:
> {code}
> class SaslHandler
> : public wangle::HandlerAdapter std::unique_ptr>{
> {code}
> It would be inserted between EventBaseHandler and
> LengthFieldBasedFrameDecoder in the pipeline (via
> ConnectionFactory::Connect())
> * SaslHandler would intercept writes to server by buffering the IOBuf's and
> start the handshake process (via sasl_client_XX calls provided by Cyrus)
> * after handshake is complete, SaslHandler would send the buffered IOBuf's to
> server and act as pass-thru from then on
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
[jira] [Comment Edited] (HBASE-17860) Implement secure native client connection
[
https://issues.apache.org/jira/browse/HBASE-17860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15951593#comment-15951593
]
Ted Yu edited comment on HBASE-17860 at 3/31/17 10:09 PM:
--
Here is brief procedure for testing:
* install cyrus-sasl-2.1.26 on docker vm and export CYRUS_SASL_PLUGINS_DIR
pointing to the directory where sasl library resides
* follow this link to install kerberos packages:
https://help.ubuntu.com/lts/serverguide/kerberos.html
* follow this link to configure KDC:
https://www.rootusers.com/how-to-configure-linux-to-authenticate-using-kerberos/
* generate hbase-host.keytab for server (and optionally hbase.keytab for user,
if you don't want to type password)
* run kinit with the keytab for user "hbase", or by providing password to kinit
* apply the patch which sets necessary config in conf/hbase-site.xml
* run bin/start-hbase.sh to start hbase server
* use hbase shell to create table (test would populate the table with:)
{code}
test1 column=d:1,
timestamp=1490984371943, value=value1
test1 column=d:extra,
timestamp=1490984371949, value=value for extra
test2 column=d:2,
timestamp=1490831145321, value=value2
test2 column=d:extra,
timestamp=1490831219721, value=value for extra
{code}
* run the following command and verify that ClientTest.PutGet passes:
buck test //core:client-test --no-results-cache
was (Author: yuzhih...@gmail.com):
Here is brief procedure for testing:
* install cyrus-sasl-2.1.26 on docker vm and export CYRUS_SASL_PLUGINS_DIR
pointing to the directory where sasl library resides
* follow this link to install kerberos packages:
https://help.ubuntu.com/lts/serverguide/kerberos.html
* follow this link to configure KDC:
https://www.rootusers.com/how-to-configure-linux-to-authenticate-using-kerberos/
* generate hbase-host.keytab for server (and optionally hbase.keytab for user)
* run kinit with the keytab
* apply the patch which sets necessary config in conf/hbase-site.xml
* run bin/start-hbase.sh to start hbase server
* use hbase shell to create table (test would populate the table with:)
{code}
test1 column=d:1,
timestamp=1490984371943, value=value1
test1 column=d:extra,
timestamp=1490984371949, value=value for extra
test2 column=d:2,
timestamp=1490831145321, value=value2
test2 column=d:extra,
timestamp=1490831219721, value=value for extra
{code}
* run the following command and verify that ClientTest.PutGet passes:
buck test //core:client-test --no-results-cache
> Implement secure native client connection
> -
>
> Key: HBASE-17860
> URL: https://issues.apache.org/jira/browse/HBASE-17860
> Project: HBase
> Issue Type: Sub-task
>Reporter: Ted Yu
>Assignee: Ted Yu
>Priority: Critical
>
> So far, the native client communicates with insecure cluster.
> This JIRA is to add secure connection support for native client using Cyrus
> library.
> The work is based on earlier implementation and is redone via wangle and
> folly frameworks.
> Thanks to [~devaraj] who started the initiative.
> Here is high level description of the design:
> * SaslHandler is declared as:
> {code}
> class SaslHandler
> : public wangle::HandlerAdapter std::unique_ptr>{
> {code}
> It would be inserted between EventBaseHandler and
> LengthFieldBasedFrameDecoder in the pipeline (via
> ConnectionFactory::Connect())
> * SaslHandler would intercept writes to server by buffering the IOBuf's and
> start the handshake process (via sasl_client_XX calls provided by Cyrus)
> * after handshake is complete, SaslHandler would send the buffered IOBuf's to
> server and act as pass-thru from then on
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
[jira] [Comment Edited] (HBASE-17860) Implement secure native client connection
[
https://issues.apache.org/jira/browse/HBASE-17860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15951593#comment-15951593
]
Ted Yu edited comment on HBASE-17860 at 3/31/17 9:56 PM:
-
Here is brief procedure for testing:
* install cyrus-sasl-2.1.26 on docker vm and export CYRUS_SASL_PLUGINS_DIR
pointing to the directory where sasl library resides
* follow this link to install kerberos packages:
https://help.ubuntu.com/lts/serverguide/kerberos.html
* follow this link to configure KDC:
https://www.rootusers.com/how-to-configure-linux-to-authenticate-using-kerberos/
* generate hbase-host.keytab for server (and optionally hbase.keytab for user)
* run kinit with the keytab
* apply the patch which sets necessary config in conf/hbase-site.xml
* run bin/start-hbase.sh to start hbase server
* use hbase shell to create table (test would populate the table with:)
{code}
test1 column=d:1,
timestamp=1490984371943, value=value1
test1 column=d:extra,
timestamp=1490984371949, value=value for extra
test2 column=d:2,
timestamp=1490831145321, value=value2
test2 column=d:extra,
timestamp=1490831219721, value=value for extra
{code}
* run the following command and verify that ClientTest.PutGet passes:
buck test //core:client-test --no-results-cache
was (Author: yuzhih...@gmail.com):
Here is brief procedure for testing:
* install cyrus-sasl-2.1.26 on docker vm
* follow this link to install kerberos packages:
https://help.ubuntu.com/lts/serverguide/kerberos.html
* follow this link to configure KDC:
https://www.rootusers.com/how-to-configure-linux-to-authenticate-using-kerberos/
* generate hbase-host.keytab for server (and optionally hbase.keytab for user)
* run kinit with the keytab
* apply the patch which sets necessary config in conf/hbase-site.xml
* run bin/start-hbase.sh to start hbase server
* use hbase shell to create table (test would populate the table with:)
{code}
test1 column=d:1,
timestamp=1490984371943, value=value1
test1 column=d:extra,
timestamp=1490984371949, value=value for extra
test2 column=d:2,
timestamp=1490831145321, value=value2
test2 column=d:extra,
timestamp=1490831219721, value=value for extra
{code}
* run the following command and verify that ClientTest.PutGet passes:
buck test //core:client-test --no-results-cache
> Implement secure native client connection
> -
>
> Key: HBASE-17860
> URL: https://issues.apache.org/jira/browse/HBASE-17860
> Project: HBase
> Issue Type: Sub-task
>Reporter: Ted Yu
>Assignee: Ted Yu
>Priority: Critical
>
> So far, the native client communicates with insecure cluster.
> This JIRA is to add secure connection support for native client using Cyrus
> library.
> The work is based on earlier implementation and is redone via wangle and
> folly frameworks.
> Thanks to [~devaraj] who started the initiative.
> Here is high level description of the design:
> * SaslHandler is declared as:
> {code}
> class SaslHandler
> : public wangle::HandlerAdapter std::unique_ptr>{
> {code}
> It would be inserted between EventBaseHandler and
> LengthFieldBasedFrameDecoder in the pipeline (via
> ConnectionFactory::Connect())
> * SaslHandler would intercept writes to server by buffering the IOBuf's and
> start the handshake process (via sasl_client_XX calls provided by Cyrus)
> * after handshake is complete, SaslHandler would send the buffered IOBuf's to
> server and act as pass-thru from then on
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
[jira] [Comment Edited] (HBASE-17860) Implement secure native client connection
[
https://issues.apache.org/jira/browse/HBASE-17860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15951593#comment-15951593
]
Ted Yu edited comment on HBASE-17860 at 3/31/17 9:30 PM:
-
Here is brief procedure for testing:
* install cyrus-sasl-2.1.26 on docker vm
* follow this link to install kerberos packages:
https://help.ubuntu.com/lts/serverguide/kerberos.html
* follow this link to configure KDC:
https://www.rootusers.com/how-to-configure-linux-to-authenticate-using-kerberos/
* generate hbase-host.keytab for server (and optionally hbase.keytab for user)
* run kinit with the keytab
* apply the patch which sets necessary config in conf/hbase-site.xml
* run bin/start-hbase.sh to start hbase server
* use hbase shell to create table (test would populate the table with:)
{code}
test1 column=d:1,
timestamp=1490984371943, value=value1
test1 column=d:extra,
timestamp=1490984371949, value=value for extra
test2 column=d:2,
timestamp=1490831145321, value=value2
test2 column=d:extra,
timestamp=1490831219721, value=value for extra
{code}
* run the following command and verify that ClientTest.PutGet passes:
buck test //core:client-test --no-results-cache
was (Author: yuzhih...@gmail.com):
Here is brief procedure for testing:
* install cyrus-sasl-2.1.26 on docker vm
* follow this link to install kerberos packages:
https://help.ubuntu.com/lts/serverguide/kerberos.html
* follow this link to configure KDC:
https://www.rootusers.com/how-to-configure-linux-to-authenticate-using-kerberos/
* generate hbase-host.keytab for server (and optionally hbase.keytab for user)
* run kinit with the keytab
* apply the patch which sets necessary config in conf/hbase-site.xml
* run bin/start-hbase.sh to start hbase server
* use hbase shell to create table and populate with:
{code}
test1 column=d:1,
timestamp=1490984371943, value=value1
test1 column=d:extra,
timestamp=1490984371949, value=value for extra
test2 column=d:2,
timestamp=1490831145321, value=value2
test2 column=d:extra,
timestamp=1490831219721, value=value for extra
{code}
* run the following command and verify that ClientTest.PutGet passes:
buck test //core:client-test --no-results-cache
> Implement secure native client connection
> -
>
> Key: HBASE-17860
> URL: https://issues.apache.org/jira/browse/HBASE-17860
> Project: HBase
> Issue Type: Sub-task
>Reporter: Ted Yu
>Assignee: Ted Yu
>Priority: Critical
>
> So far, the native client communicates with insecure cluster.
> This JIRA is to add secure connection support for native client using Cyrus
> library.
> The work is based on earlier implementation and is redone via wangle and
> folly frameworks.
> Thanks to [~devaraj] who started the initiative.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
[jira] [Comment Edited] (HBASE-17860) Implement secure native client connection
[
https://issues.apache.org/jira/browse/HBASE-17860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15951593#comment-15951593
]
Ted Yu edited comment on HBASE-17860 at 3/31/17 8:28 PM:
-
Here is brief procedure for testing:
* install cyrus-sasl-2.1.26 on docker vm
* follow this link to install kerberos packages:
https://help.ubuntu.com/lts/serverguide/kerberos.html
* follow this link to configure KDC:
https://www.rootusers.com/how-to-configure-linux-to-authenticate-using-kerberos/
* generate hbase-host.keytab for server (and optionally hbase.keytab for user)
* run kinit with the keytab
* apply the patch which sets necessary config in conf/hbase-site.xml
* run bin/start-hbase.sh to start hbase server
* use hbase shell to create table and populate with:
{code}
test1 column=d:1,
timestamp=1490984371943, value=value1
test1 column=d:extra,
timestamp=1490984371949, value=value for extra
test2 column=d:2,
timestamp=1490831145321, value=value2
test2 column=d:extra,
timestamp=1490831219721, value=value for extra
{code}
* run the following command and verify that ClientTest.PutGet passes:
buck test //core:client-test --no-results-cache
was (Author: yuzhih...@gmail.com):
Here is brief procedure for testing:
* install cyrus-sasl-2.1.26 on docker vm
* follow this link to install kerberos packages:
https://help.ubuntu.com/lts/serverguide/kerberos.html
* follow this link to configure KDC:
https://www.rootusers.com/how-to-configure-linux-to-authenticate-using-kerberos/
* apply the patch which sets necessary config in conf/hbase-site.xml
* run bin/start-hbase.sh to start hbase server
* use hbase shell to create table and populate with:
{code}
test1 column=d:1,
timestamp=1490984371943, value=value1
test1 column=d:extra,
timestamp=1490984371949, value=value for extra
test2 column=d:2,
timestamp=1490831145321, value=value2
test2 column=d:extra,
timestamp=1490831219721, value=value for extra
{code}
* run the following command and verify that ClientTest.PutGet passes:
buck test //core:client-test --no-results-cache
> Implement secure native client connection
> -
>
> Key: HBASE-17860
> URL: https://issues.apache.org/jira/browse/HBASE-17860
> Project: HBase
> Issue Type: Sub-task
>Reporter: Ted Yu
>Assignee: Ted Yu
>Priority: Critical
>
> So far, the native client communicates with insecure cluster.
> This JIRA is to add secure connection support for native client using Cyrus
> library.
> The work is based on earlier implementation and is redone via wangle and
> folly frameworks.
> Thanks to [~devaraj] who started the initiative.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
