You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hbase.apache.org by "Eugene Koontz (Created) (JIRA)" <ji...@apache.org> on 2011/11/15 21:50:53 UTC
[jira] [Created] (HBASE-4791) Allow Secure Zookeeper JAAS
configuration to be programmatically set (rather than only by reading JAAS
configuration file)
Allow Secure Zookeeper JAAS configuration to be programmatically set (rather than only by reading JAAS configuration file)
--------------------------------------------------------------------------------------------------------------------------
Key: HBASE-4791
URL: https://issues.apache.org/jira/browse/HBASE-4791
Project: HBase
Issue Type: Bug
Reporter: Eugene Koontz
In the currently proposed fix for HBASE-2418, there must be a JAAS file specified in System.setProperty("java.security.auth.login.config").
However, it might be preferable to construct a JAAS configuration programmatically, as is done with secure Hadoop (see https://github.com/apache/hadoop-common/blob/a48eceb62c9b5c1a5d71ee2945d9eea2ed62527b/src/java/org/apache/hadoop/security/UserGroupInformation.java#L175).
This would have the benefit of avoiding a usage of a system property setting, and allow instead an HBase-local configuration setting.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-4791) Allow Secure Zookeeper JAAS
configuration to be programmatically set (rather than only by reading JAAS
configuration file)
Posted by "Matteo Bertozzi (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-4791?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13395890#comment-13395890 ]
Matteo Bertozzi commented on HBASE-4791:
----------------------------------------
{quote}Configuration.setConfiguration overwrites the default configuration. May cause problems, if client application also expects this way.{quote}
If your configuration keeps the previous one and returns the previous one when someone request data not handled by this custom configuration, I don't see where is the problem. Is just adding a new property to the conf. Maybe there's a better way then override login.Configuration
{quote}For every ZooKeeper client connection we need to do this Configuration.setConfiguration.{quote}
Is not per connection but per process, this means Region Servers and Master. In the draft patch attached at startup RS and Master calls ZKUtil.Login to setup the LoginContext the same thing as UserLogin does now.
> Allow Secure Zookeeper JAAS configuration to be programmatically set (rather than only by reading JAAS configuration file)
> --------------------------------------------------------------------------------------------------------------------------
>
> Key: HBASE-4791
> URL: https://issues.apache.org/jira/browse/HBASE-4791
> Project: HBase
> Issue Type: Improvement
> Components: security, zookeeper
> Reporter: Eugene Koontz
> Assignee: Eugene Koontz
> Labels: security, zookeeper
> Attachments: DemoConfig.java, HBASE-4791-v0.patch
>
>
> In the currently proposed fix for HBASE-2418, there must be a JAAS file specified in System.setProperty("java.security.auth.login.config").
> However, it might be preferable to construct a JAAS configuration programmatically, as is done with secure Hadoop (see https://github.com/apache/hadoop-common/blob/a48eceb62c9b5c1a5d71ee2945d9eea2ed62527b/src/java/org/apache/hadoop/security/UserGroupInformation.java#L175).
> This would have the benefit of avoiding a usage of a system property setting, and allow instead an HBase-local configuration setting.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-4791) Allow Secure Zookeeper JAAS
configuration to be programmatically set (rather than only by reading JAAS
configuration file)
Posted by "Matteo Bertozzi (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-4791?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Matteo Bertozzi updated HBASE-4791:
-----------------------------------
Attachment: HBASE-4791-v1.patch
I'll try to explain how the jaas.conf works...
On the first call of javax.security.auth.login.Configuration.getConfiguration() "login.configuration.provider" property is checked to see what is the Configuration class that handle the jaas.
If the property is not set "com.sun.security.auth.login.ConfigFile" is used as jaas.conf reader...
It checks if the "java.security.auth.login.config" was specified, and if so it reads the file and keep the "jaas options".
So in your JVM there's just one single instance of auth.login.Configuration running.
The idea here, is to avoid to specify the -Djava.security.auth.login.config=jaas.conf for HBase Region Server and HBase Master, and use instead the hbase-site. One simple way to do that is to create a custom auth.login.Configuration class that returns the "jaas option" for needed to HBase.
Now you've to options to use your Configuration class: setting the "login.configuration.provider" property to pointing to the proper class the other way is to call auth.login.Configuration.setConfiguration() and provide the custom configuration class.
I've choosen the second way since you don't have to rely on "Have I already called Configuration.getConfiguration()" somewhere? and put the setProperty() as first line... but the only thing to be aware is "do this before connect to zookeeper".
> Allow Secure Zookeeper JAAS configuration to be programmatically set (rather than only by reading JAAS configuration file)
> --------------------------------------------------------------------------------------------------------------------------
>
> Key: HBASE-4791
> URL: https://issues.apache.org/jira/browse/HBASE-4791
> Project: HBase
> Issue Type: Improvement
> Components: security, zookeeper
> Reporter: Eugene Koontz
> Assignee: Eugene Koontz
> Labels: security, zookeeper
> Attachments: DemoConfig.java, HBASE-4791-v0.patch, HBASE-4791-v1.patch
>
>
> In the currently proposed fix for HBASE-2418, there must be a JAAS file specified in System.setProperty("java.security.auth.login.config").
> However, it might be preferable to construct a JAAS configuration programmatically, as is done with secure Hadoop (see https://github.com/apache/hadoop-common/blob/a48eceb62c9b5c1a5d71ee2945d9eea2ed62527b/src/java/org/apache/hadoop/security/UserGroupInformation.java#L175).
> This would have the benefit of avoiding a usage of a system property setting, and allow instead an HBase-local configuration setting.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-4791) Allow Secure Zookeeper JAAS
configuration to be programmatically set (rather than only by reading JAAS
configuration file)
Posted by "stack (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-4791?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13510191#comment-13510191 ]
stack commented on HBASE-4791:
------------------------------
[~mbertozzi] getHostName I'd say. HBASE-7273 just committed regards your 3.4.5 request.
> Allow Secure Zookeeper JAAS configuration to be programmatically set (rather than only by reading JAAS configuration file)
> --------------------------------------------------------------------------------------------------------------------------
>
> Key: HBASE-4791
> URL: https://issues.apache.org/jira/browse/HBASE-4791
> Project: HBase
> Issue Type: Improvement
> Components: security, Zookeeper
> Reporter: Eugene Koontz
> Assignee: Matteo Bertozzi
> Labels: security, zookeeper
> Attachments: DemoConfig.java, HBASE-4791-v1.patch, HBASE-4791-v2.patch, HBASE-4791-v3.patch
>
>
> In the currently proposed fix for HBASE-2418, there must be a JAAS file specified in System.setProperty("java.security.auth.login.config").
> However, it might be preferable to construct a JAAS configuration programmatically, as is done with secure Hadoop (see https://github.com/apache/hadoop-common/blob/a48eceb62c9b5c1a5d71ee2945d9eea2ed62527b/src/java/org/apache/hadoop/security/UserGroupInformation.java#L175).
> This would have the benefit of avoiding a usage of a system property setting, and allow instead an HBase-local configuration setting.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-4791) Allow Secure Zookeeper JAAS
configuration to be programmatically set (rather than only by reading JAAS
configuration file)
Posted by "Matteo Bertozzi (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-4791?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13393531#comment-13393531 ]
Matteo Bertozzi commented on HBASE-4791:
----------------------------------------
No changes are need in ZooKeeper, it allows already to specify a jaas configuration by code:
ZooKeeperSaslClient check first for configuration entry available, if is not available checks the system property "java.security.auth.login.config". Also you can set "zookeeper.sasl.clientconfig" to set the configuration with something different than "Client" ZOOKEEPER-1373
> Allow Secure Zookeeper JAAS configuration to be programmatically set (rather than only by reading JAAS configuration file)
> --------------------------------------------------------------------------------------------------------------------------
>
> Key: HBASE-4791
> URL: https://issues.apache.org/jira/browse/HBASE-4791
> Project: HBase
> Issue Type: Improvement
> Components: security, zookeeper
> Reporter: Eugene Koontz
> Assignee: Eugene Koontz
> Labels: security, zookeeper
> Attachments: HBASE-4791-v0.patch
>
>
> In the currently proposed fix for HBASE-2418, there must be a JAAS file specified in System.setProperty("java.security.auth.login.config").
> However, it might be preferable to construct a JAAS configuration programmatically, as is done with secure Hadoop (see https://github.com/apache/hadoop-common/blob/a48eceb62c9b5c1a5d71ee2945d9eea2ed62527b/src/java/org/apache/hadoop/security/UserGroupInformation.java#L175).
> This would have the benefit of avoiding a usage of a system property setting, and allow instead an HBase-local configuration setting.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-4791) Allow Secure Zookeeper JAAS
configuration to be programmatically set (rather than only by reading JAAS
configuration file)
Posted by "stack (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-4791?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
stack updated HBASE-4791:
-------------------------
Status: Patch Available (was: Open)
Passing by hadoopqa.
In the below, 'localhost' is right always Matteo?
{code}
+ // login the zookeeper server principal (if using security)
+ ZKUtil.loginServer(conf, "hbase.zookeeper.server.keytab.file",
+ "hbase.zookeeper.server.kerberos.principal", "localhost");
{code}
Otherwise patch looks good. Needs release note boss.
Is this trunk only? Or you want it in 0.94 too?
> Allow Secure Zookeeper JAAS configuration to be programmatically set (rather than only by reading JAAS configuration file)
> --------------------------------------------------------------------------------------------------------------------------
>
> Key: HBASE-4791
> URL: https://issues.apache.org/jira/browse/HBASE-4791
> Project: HBase
> Issue Type: Improvement
> Components: security, Zookeeper
> Reporter: Eugene Koontz
> Assignee: Matteo Bertozzi
> Labels: security, zookeeper
> Attachments: DemoConfig.java, HBASE-4791-v1.patch, HBASE-4791-v2.patch, HBASE-4791-v3.patch
>
>
> In the currently proposed fix for HBASE-2418, there must be a JAAS file specified in System.setProperty("java.security.auth.login.config").
> However, it might be preferable to construct a JAAS configuration programmatically, as is done with secure Hadoop (see https://github.com/apache/hadoop-common/blob/a48eceb62c9b5c1a5d71ee2945d9eea2ed62527b/src/java/org/apache/hadoop/security/UserGroupInformation.java#L175).
> This would have the benefit of avoiding a usage of a system property setting, and allow instead an HBase-local configuration setting.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-4791) Allow Secure Zookeeper JAAS
configuration to be programmatically set (rather than only by reading JAAS
configuration file)
Posted by "Matteo Bertozzi (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-4791?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Matteo Bertozzi updated HBASE-4791:
-----------------------------------
Attachment: (was: HBASE-4791-v1.patch)
> Allow Secure Zookeeper JAAS configuration to be programmatically set (rather than only by reading JAAS configuration file)
> --------------------------------------------------------------------------------------------------------------------------
>
> Key: HBASE-4791
> URL: https://issues.apache.org/jira/browse/HBASE-4791
> Project: HBase
> Issue Type: Improvement
> Components: security, zookeeper
> Reporter: Eugene Koontz
> Assignee: Eugene Koontz
> Labels: security, zookeeper
> Attachments: DemoConfig.java
>
>
> In the currently proposed fix for HBASE-2418, there must be a JAAS file specified in System.setProperty("java.security.auth.login.config").
> However, it might be preferable to construct a JAAS configuration programmatically, as is done with secure Hadoop (see https://github.com/apache/hadoop-common/blob/a48eceb62c9b5c1a5d71ee2945d9eea2ed62527b/src/java/org/apache/hadoop/security/UserGroupInformation.java#L175).
> This would have the benefit of avoiding a usage of a system property setting, and allow instead an HBase-local configuration setting.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-4791) Allow Secure Zookeeper JAAS
configuration to be programmatically set (rather than only by reading JAAS
configuration file)
Posted by "Matteo Bertozzi (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-4791?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Matteo Bertozzi updated HBASE-4791:
-----------------------------------
Attachment: HBASE-4791-v1.patch
Attached a patch that depends on ZOOKEEPER-1497, just to be able to start secure zookeeper from hbase (non distributed mode).
using instead hbase-site.xml configuration
* hbase.zookeeper.client.keytab.file
* hbase.zookeeper.client.kerberos.principal
"Client" properties are used by HBase Master and Region Servers.
* hbase.zookeeper.server.keytab.file
* hbase.zookeeper.server.kerberos.principal
"Server" properties are used by Quorum Peer when zookeepe is not external.
> Allow Secure Zookeeper JAAS configuration to be programmatically set (rather than only by reading JAAS configuration file)
> --------------------------------------------------------------------------------------------------------------------------
>
> Key: HBASE-4791
> URL: https://issues.apache.org/jira/browse/HBASE-4791
> Project: HBase
> Issue Type: Improvement
> Components: security, zookeeper
> Reporter: Eugene Koontz
> Assignee: Eugene Koontz
> Labels: security, zookeeper
> Attachments: DemoConfig.java, HBASE-4791-v1.patch
>
>
> In the currently proposed fix for HBASE-2418, there must be a JAAS file specified in System.setProperty("java.security.auth.login.config").
> However, it might be preferable to construct a JAAS configuration programmatically, as is done with secure Hadoop (see https://github.com/apache/hadoop-common/blob/a48eceb62c9b5c1a5d71ee2945d9eea2ed62527b/src/java/org/apache/hadoop/security/UserGroupInformation.java#L175).
> This would have the benefit of avoiding a usage of a system property setting, and allow instead an HBase-local configuration setting.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-4791) Allow Secure Zookeeper JAAS
configuration to be programmatically set (rather than only by reading JAAS
configuration file)
Posted by "Matteo Bertozzi (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-4791?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Matteo Bertozzi updated HBASE-4791:
-----------------------------------
Attachment: (was: HBASE-4791-v0.patch)
> Allow Secure Zookeeper JAAS configuration to be programmatically set (rather than only by reading JAAS configuration file)
> --------------------------------------------------------------------------------------------------------------------------
>
> Key: HBASE-4791
> URL: https://issues.apache.org/jira/browse/HBASE-4791
> Project: HBase
> Issue Type: Improvement
> Components: security, zookeeper
> Reporter: Eugene Koontz
> Assignee: Eugene Koontz
> Labels: security, zookeeper
> Attachments: DemoConfig.java
>
>
> In the currently proposed fix for HBASE-2418, there must be a JAAS file specified in System.setProperty("java.security.auth.login.config").
> However, it might be preferable to construct a JAAS configuration programmatically, as is done with secure Hadoop (see https://github.com/apache/hadoop-common/blob/a48eceb62c9b5c1a5d71ee2945d9eea2ed62527b/src/java/org/apache/hadoop/security/UserGroupInformation.java#L175).
> This would have the benefit of avoiding a usage of a system property setting, and allow instead an HBase-local configuration setting.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Assigned] (HBASE-4791) Allow Secure Zookeeper JAAS
configuration to be programmatically set (rather than only by reading JAAS
configuration file)
Posted by "Eugene Koontz (Assigned) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-4791?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Eugene Koontz reassigned HBASE-4791:
------------------------------------
Assignee: Eugene Koontz
> Allow Secure Zookeeper JAAS configuration to be programmatically set (rather than only by reading JAAS configuration file)
> --------------------------------------------------------------------------------------------------------------------------
>
> Key: HBASE-4791
> URL: https://issues.apache.org/jira/browse/HBASE-4791
> Project: HBase
> Issue Type: Bug
> Reporter: Eugene Koontz
> Assignee: Eugene Koontz
> Labels: security, zookeeper
>
> In the currently proposed fix for HBASE-2418, there must be a JAAS file specified in System.setProperty("java.security.auth.login.config").
> However, it might be preferable to construct a JAAS configuration programmatically, as is done with secure Hadoop (see https://github.com/apache/hadoop-common/blob/a48eceb62c9b5c1a5d71ee2945d9eea2ed62527b/src/java/org/apache/hadoop/security/UserGroupInformation.java#L175).
> This would have the benefit of avoiding a usage of a system property setting, and allow instead an HBase-local configuration setting.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-4791) Allow Secure Zookeeper JAAS
configuration to be programmatically set (rather than only by reading JAAS
configuration file)
Posted by "Laxman (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-4791?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13393665#comment-13393665 ]
Laxman commented on HBASE-4791:
-------------------------------
@Matt, "zookeeper.sasl.clientconfig" is only for client context name. Basically, in a JAAS configuration we can have multiple sections like below one.
{noformat}
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
useTicketCache=false
keyTab="/hbase/master/conf/hbase.keytab"
principal="hbase/hadoop@HADOOP.COM";
};
{noformat}
ZOOKEEPER-1373 enables the user to configure a specific section from JAAS to be used for zookeeper and *it still requires the configuration "java.security.auth.login.config"*. But, current jira is mainly for allowing the JAAS can be configured via programmatically and avoid configuring via system property. So, this requires changes on zookeeper like allowing client to provide a config object or so...
Correct me if my understanding is wrong.
> Allow Secure Zookeeper JAAS configuration to be programmatically set (rather than only by reading JAAS configuration file)
> --------------------------------------------------------------------------------------------------------------------------
>
> Key: HBASE-4791
> URL: https://issues.apache.org/jira/browse/HBASE-4791
> Project: HBase
> Issue Type: Improvement
> Components: security, zookeeper
> Reporter: Eugene Koontz
> Assignee: Eugene Koontz
> Labels: security, zookeeper
> Attachments: HBASE-4791-v0.patch
>
>
> In the currently proposed fix for HBASE-2418, there must be a JAAS file specified in System.setProperty("java.security.auth.login.config").
> However, it might be preferable to construct a JAAS configuration programmatically, as is done with secure Hadoop (see https://github.com/apache/hadoop-common/blob/a48eceb62c9b5c1a5d71ee2945d9eea2ed62527b/src/java/org/apache/hadoop/security/UserGroupInformation.java#L175).
> This would have the benefit of avoiding a usage of a system property setting, and allow instead an HBase-local configuration setting.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-4791) Allow Secure Zookeeper JAAS
configuration to be programmatically set (rather than only by reading JAAS
configuration file)
Posted by "Matteo Bertozzi (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-4791?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13396583#comment-13396583 ]
Matteo Bertozzi commented on HBASE-4791:
----------------------------------------
{quote}
Configuration.setConfiguration - Doesn't seems to be a clean approach.
What happens when you want to use multiple ZK clusters from same ZK client?
{quote}
Is not the same as what happens today? You can specify one single jaas.conf and You've just one Client section read.
{quote}
Other problem with this approach is concurrency issues. No?
Think of the following scenario from a HBase client application which accesses HBase and ZooKeeper for various puposes.
{quote}
What do you mean by HBase Client, for me the only hbase client interested by this change is Master and Region Server.
And the configuration is set at startup. Check the User.login() that does the exactly same thing in RS and Master code, is exactly the same.
{quote}
What's your opinion on providing this as part of ZooKeeper client code allowing clients to configure thru constructor.
ZooKeeper(conf) - conf may be Map/ZKConfig/Properties/some other better data structure.
{quote}
This sounds good anyway, just to have a clear way to specify the authentication by code in a less hackish way
> Allow Secure Zookeeper JAAS configuration to be programmatically set (rather than only by reading JAAS configuration file)
> --------------------------------------------------------------------------------------------------------------------------
>
> Key: HBASE-4791
> URL: https://issues.apache.org/jira/browse/HBASE-4791
> Project: HBase
> Issue Type: Improvement
> Components: security, zookeeper
> Reporter: Eugene Koontz
> Assignee: Eugene Koontz
> Labels: security, zookeeper
> Attachments: DemoConfig.java, HBASE-4791-v0.patch
>
>
> In the currently proposed fix for HBASE-2418, there must be a JAAS file specified in System.setProperty("java.security.auth.login.config").
> However, it might be preferable to construct a JAAS configuration programmatically, as is done with secure Hadoop (see https://github.com/apache/hadoop-common/blob/a48eceb62c9b5c1a5d71ee2945d9eea2ed62527b/src/java/org/apache/hadoop/security/UserGroupInformation.java#L175).
> This would have the benefit of avoiding a usage of a system property setting, and allow instead an HBase-local configuration setting.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-4791) Allow Secure Zookeeper JAAS
configuration to be programmatically set (rather than only by reading JAAS
configuration file)
Posted by "Eugene Koontz (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-4791?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Eugene Koontz updated HBASE-4791:
---------------------------------
Issue Type: Improvement (was: Bug)
> Allow Secure Zookeeper JAAS configuration to be programmatically set (rather than only by reading JAAS configuration file)
> --------------------------------------------------------------------------------------------------------------------------
>
> Key: HBASE-4791
> URL: https://issues.apache.org/jira/browse/HBASE-4791
> Project: HBase
> Issue Type: Improvement
> Reporter: Eugene Koontz
> Assignee: Eugene Koontz
> Labels: security, zookeeper
>
> In the currently proposed fix for HBASE-2418, there must be a JAAS file specified in System.setProperty("java.security.auth.login.config").
> However, it might be preferable to construct a JAAS configuration programmatically, as is done with secure Hadoop (see https://github.com/apache/hadoop-common/blob/a48eceb62c9b5c1a5d71ee2945d9eea2ed62527b/src/java/org/apache/hadoop/security/UserGroupInformation.java#L175).
> This would have the benefit of avoiding a usage of a system property setting, and allow instead an HBase-local configuration setting.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-4791) Allow Secure Zookeeper JAAS
configuration to be programmatically set (rather than only by reading JAAS
configuration file)
Posted by "Laxman (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-4791?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13395875#comment-13395875 ]
Laxman commented on HBASE-4791:
-------------------------------
I understand Matt. Looks good.
iiuc, your suggestion is to "ZooKeeper clients(like HBase) has to set this via Configuration.setConfiguration."
Following are points of discussion if we go with this approach.
* For every ZooKeeper client connection we need to do this Configuration.setConfiguration.
* Configuration.setConfiguration overwrites the default configuration. May cause problems, if client application also expects this way.
> Allow Secure Zookeeper JAAS configuration to be programmatically set (rather than only by reading JAAS configuration file)
> --------------------------------------------------------------------------------------------------------------------------
>
> Key: HBASE-4791
> URL: https://issues.apache.org/jira/browse/HBASE-4791
> Project: HBase
> Issue Type: Improvement
> Components: security, zookeeper
> Reporter: Eugene Koontz
> Assignee: Eugene Koontz
> Labels: security, zookeeper
> Attachments: DemoConfig.java, HBASE-4791-v0.patch
>
>
> In the currently proposed fix for HBASE-2418, there must be a JAAS file specified in System.setProperty("java.security.auth.login.config").
> However, it might be preferable to construct a JAAS configuration programmatically, as is done with secure Hadoop (see https://github.com/apache/hadoop-common/blob/a48eceb62c9b5c1a5d71ee2945d9eea2ed62527b/src/java/org/apache/hadoop/security/UserGroupInformation.java#L175).
> This would have the benefit of avoiding a usage of a system property setting, and allow instead an HBase-local configuration setting.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-4791) Allow Secure Zookeeper JAAS
configuration to be programmatically set (rather than only by reading JAAS
configuration file)
Posted by "Matteo Bertozzi (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-4791?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Matteo Bertozzi updated HBASE-4791:
-----------------------------------
Attachment: HBASE-4791-v2.patch
Instead of adding a new property and relative function I've tried this way:
The only properties are still keyTab.file and principal, just loginClient() function.
If there's no keyTabFile you use the ticket cache.
Otherwise there's the strange case where you can set ticketCache=false and no keyTab.
What do you think?
> Allow Secure Zookeeper JAAS configuration to be programmatically set (rather than only by reading JAAS configuration file)
> --------------------------------------------------------------------------------------------------------------------------
>
> Key: HBASE-4791
> URL: https://issues.apache.org/jira/browse/HBASE-4791
> Project: HBase
> Issue Type: Improvement
> Components: security, zookeeper
> Reporter: Eugene Koontz
> Assignee: Matteo Bertozzi
> Labels: security, zookeeper
> Attachments: DemoConfig.java, HBASE-4791-v1.patch, HBASE-4791-v2.patch
>
>
> In the currently proposed fix for HBASE-2418, there must be a JAAS file specified in System.setProperty("java.security.auth.login.config").
> However, it might be preferable to construct a JAAS configuration programmatically, as is done with secure Hadoop (see https://github.com/apache/hadoop-common/blob/a48eceb62c9b5c1a5d71ee2945d9eea2ed62527b/src/java/org/apache/hadoop/security/UserGroupInformation.java#L175).
> This would have the benefit of avoiding a usage of a system property setting, and allow instead an HBase-local configuration setting.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-4791) Allow Secure Zookeeper JAAS
configuration to be programmatically set (rather than only by reading JAAS
configuration file)
Posted by "Andrew Purtell (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-4791?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13407515#comment-13407515 ]
Andrew Purtell commented on HBASE-4791:
---------------------------------------
bq. This means introducing an incompatible change
No, I just meant it should not be _required_ to use a JAAS configuration file. Maintaining compatibility if there is one we can/should still do.
> Allow Secure Zookeeper JAAS configuration to be programmatically set (rather than only by reading JAAS configuration file)
> --------------------------------------------------------------------------------------------------------------------------
>
> Key: HBASE-4791
> URL: https://issues.apache.org/jira/browse/HBASE-4791
> Project: HBase
> Issue Type: Improvement
> Components: security, zookeeper
> Reporter: Eugene Koontz
> Assignee: Matteo Bertozzi
> Labels: security, zookeeper
> Attachments: DemoConfig.java, HBASE-4791-v1.patch
>
>
> In the currently proposed fix for HBASE-2418, there must be a JAAS file specified in System.setProperty("java.security.auth.login.config").
> However, it might be preferable to construct a JAAS configuration programmatically, as is done with secure Hadoop (see https://github.com/apache/hadoop-common/blob/a48eceb62c9b5c1a5d71ee2945d9eea2ed62527b/src/java/org/apache/hadoop/security/UserGroupInformation.java#L175).
> This would have the benefit of avoiding a usage of a system property setting, and allow instead an HBase-local configuration setting.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Assigned] (HBASE-4791) Allow Secure Zookeeper JAAS
configuration to be programmatically set (rather than only by reading JAAS
configuration file)
Posted by "Andrew Purtell (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-4791?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andrew Purtell reassigned HBASE-4791:
-------------------------------------
Assignee: Matteo Bertozzi (was: Eugene Koontz)
> Allow Secure Zookeeper JAAS configuration to be programmatically set (rather than only by reading JAAS configuration file)
> --------------------------------------------------------------------------------------------------------------------------
>
> Key: HBASE-4791
> URL: https://issues.apache.org/jira/browse/HBASE-4791
> Project: HBase
> Issue Type: Improvement
> Components: security, zookeeper
> Reporter: Eugene Koontz
> Assignee: Matteo Bertozzi
> Labels: security, zookeeper
> Attachments: DemoConfig.java, HBASE-4791-v1.patch
>
>
> In the currently proposed fix for HBASE-2418, there must be a JAAS file specified in System.setProperty("java.security.auth.login.config").
> However, it might be preferable to construct a JAAS configuration programmatically, as is done with secure Hadoop (see https://github.com/apache/hadoop-common/blob/a48eceb62c9b5c1a5d71ee2945d9eea2ed62527b/src/java/org/apache/hadoop/security/UserGroupInformation.java#L175).
> This would have the benefit of avoiding a usage of a system property setting, and allow instead an HBase-local configuration setting.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-4791) Allow Secure Zookeeper JAAS
configuration to be programmatically set (rather than only by reading JAAS
configuration file)
Posted by "Laxman (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-4791?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13396565#comment-13396565 ]
Laxman commented on HBASE-4791:
-------------------------------
@Matt, Thanks for your quick response and patience.
Configuration.setConfiguration - Doesn't seems to be a clean approach.
What happens when you want to use multiple ZK clusters from same ZK client?
Other problem with this approach is concurrency issues. No?
Think of the following scenario from a HBase client application which accesses HBase and ZooKeeper for various puposes.
Thread-1 (HBase Client thread)
Step #1.1: oldConfig1 = Configuration.getConfiguration
Step #1.2: Configuration.setConfiguration(newConfig1)
Step #1.3: Initialize Do some work
Step #1.4: Configuration.setConfiguration(oldConfig1)
Thread-2 (Application specific thread)
Step #2.1: oldConfig2 = Configuration.getConfiguration
Step #2.2: Configuration.setConfiguration(newConfig2)
Step #2.3: Establish ZK Connection & do some work
Step #2.4: Configuration.setConfiguration(oldConfig2)
Will you be able to predict the behavior here when both of the threads run simultaneously?
Note that synchroniation also may not help as Thread-1 is HBase specific and Thread-2 Application specific.
What's your opinion on providing this as part of ZooKeeper client code allowing clients to configure thru constructor.
ZooKeeper(conf) - conf may be Map/ZKConfig/Properties/some other better data structure.
> Allow Secure Zookeeper JAAS configuration to be programmatically set (rather than only by reading JAAS configuration file)
> --------------------------------------------------------------------------------------------------------------------------
>
> Key: HBASE-4791
> URL: https://issues.apache.org/jira/browse/HBASE-4791
> Project: HBase
> Issue Type: Improvement
> Components: security, zookeeper
> Reporter: Eugene Koontz
> Assignee: Eugene Koontz
> Labels: security, zookeeper
> Attachments: DemoConfig.java, HBASE-4791-v0.patch
>
>
> In the currently proposed fix for HBASE-2418, there must be a JAAS file specified in System.setProperty("java.security.auth.login.config").
> However, it might be preferable to construct a JAAS configuration programmatically, as is done with secure Hadoop (see https://github.com/apache/hadoop-common/blob/a48eceb62c9b5c1a5d71ee2945d9eea2ed62527b/src/java/org/apache/hadoop/security/UserGroupInformation.java#L175).
> This would have the benefit of avoiding a usage of a system property setting, and allow instead an HBase-local configuration setting.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-4791) Allow Secure Zookeeper JAAS
configuration to be programmatically set (rather than only by reading JAAS
configuration file)
Posted by "Matteo Bertozzi (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-4791?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13407389#comment-13407389 ]
Matteo Bertozzi commented on HBASE-4791:
----------------------------------------
{quote}We should get away from requiring a JAAS configuration file entirely, as the issue title implies.{quote}
This means introducing an incompatible change, is not better keeping both? just because is a nop. If user has provided jaas from cmdline do nothing...
Other than that I agree with loginClientFromKeytab() and the ticket cache.
> Allow Secure Zookeeper JAAS configuration to be programmatically set (rather than only by reading JAAS configuration file)
> --------------------------------------------------------------------------------------------------------------------------
>
> Key: HBASE-4791
> URL: https://issues.apache.org/jira/browse/HBASE-4791
> Project: HBase
> Issue Type: Improvement
> Components: security, zookeeper
> Reporter: Eugene Koontz
> Assignee: Matteo Bertozzi
> Labels: security, zookeeper
> Attachments: DemoConfig.java, HBASE-4791-v1.patch
>
>
> In the currently proposed fix for HBASE-2418, there must be a JAAS file specified in System.setProperty("java.security.auth.login.config").
> However, it might be preferable to construct a JAAS configuration programmatically, as is done with secure Hadoop (see https://github.com/apache/hadoop-common/blob/a48eceb62c9b5c1a5d71ee2945d9eea2ed62527b/src/java/org/apache/hadoop/security/UserGroupInformation.java#L175).
> This would have the benefit of avoiding a usage of a system property setting, and allow instead an HBase-local configuration setting.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-4791) Allow Secure Zookeeper JAAS
configuration to be programmatically set (rather than only by reading JAAS
configuration file)
Posted by "Laxman (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-4791?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Laxman updated HBASE-4791:
--------------------------
Component/s: zookeeper
security
> Allow Secure Zookeeper JAAS configuration to be programmatically set (rather than only by reading JAAS configuration file)
> --------------------------------------------------------------------------------------------------------------------------
>
> Key: HBASE-4791
> URL: https://issues.apache.org/jira/browse/HBASE-4791
> Project: HBase
> Issue Type: Improvement
> Components: security, zookeeper
> Reporter: Eugene Koontz
> Assignee: Eugene Koontz
> Labels: security, zookeeper
> Attachments: HBASE-4791-v0.patch
>
>
> In the currently proposed fix for HBASE-2418, there must be a JAAS file specified in System.setProperty("java.security.auth.login.config").
> However, it might be preferable to construct a JAAS configuration programmatically, as is done with secure Hadoop (see https://github.com/apache/hadoop-common/blob/a48eceb62c9b5c1a5d71ee2945d9eea2ed62527b/src/java/org/apache/hadoop/security/UserGroupInformation.java#L175).
> This would have the benefit of avoiding a usage of a system property setting, and allow instead an HBase-local configuration setting.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-4791) Allow Secure Zookeeper JAAS
configuration to be programmatically set (rather than only by reading JAAS
configuration file)
Posted by "Andrew Purtell (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-4791?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13407376#comment-13407376 ]
Andrew Purtell commented on HBASE-4791:
---------------------------------------
Patch looks good. This is almost there. We should get away from requiring a JAAS configuration file entirely, as the issue title implies.
Consider adding another app configuration entry for using the ticket cache instead of a keytab. Consider adding a ZKUtil.loginClientFromKeytab method, which does as the name suggests. Consider changing ZKUtil.loginClient to instead use the ticket cache. If the {{hbase.zookeeper.client.keytab.file}} property is present, use the former, otherwise use the latter. It may also be worth considering falling back to the ticket cache if the keytab file is missing.
> Allow Secure Zookeeper JAAS configuration to be programmatically set (rather than only by reading JAAS configuration file)
> --------------------------------------------------------------------------------------------------------------------------
>
> Key: HBASE-4791
> URL: https://issues.apache.org/jira/browse/HBASE-4791
> Project: HBase
> Issue Type: Improvement
> Components: security, zookeeper
> Reporter: Eugene Koontz
> Assignee: Matteo Bertozzi
> Labels: security, zookeeper
> Attachments: DemoConfig.java, HBASE-4791-v1.patch
>
>
> In the currently proposed fix for HBASE-2418, there must be a JAAS file specified in System.setProperty("java.security.auth.login.config").
> However, it might be preferable to construct a JAAS configuration programmatically, as is done with secure Hadoop (see https://github.com/apache/hadoop-common/blob/a48eceb62c9b5c1a5d71ee2945d9eea2ed62527b/src/java/org/apache/hadoop/security/UserGroupInformation.java#L175).
> This would have the benefit of avoiding a usage of a system property setting, and allow instead an HBase-local configuration setting.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-4791) Allow Secure Zookeeper JAAS
configuration to be programmatically set (rather than only by reading JAAS
configuration file)
Posted by "Matteo Bertozzi (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-4791?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Matteo Bertozzi updated HBASE-4791:
-----------------------------------
Attachment: DemoConfig.java
yes ZOOKEEPER-1373 adds the support for having multiple loginContext.
But if you take a look at the code "java.security.auth.login.config" is not required, is checked just if the entry is not present.
So, using by creating a new LoginContext and a login.Configuration by code you can avoid the jaas.conf
I've attached a simple Demo to help you understand what I'm talking about. If you supply the jaas.conf from the command line that one is used, otherwise a new Conf is created by code.
> Allow Secure Zookeeper JAAS configuration to be programmatically set (rather than only by reading JAAS configuration file)
> --------------------------------------------------------------------------------------------------------------------------
>
> Key: HBASE-4791
> URL: https://issues.apache.org/jira/browse/HBASE-4791
> Project: HBase
> Issue Type: Improvement
> Components: security, zookeeper
> Reporter: Eugene Koontz
> Assignee: Eugene Koontz
> Labels: security, zookeeper
> Attachments: DemoConfig.java, HBASE-4791-v0.patch
>
>
> In the currently proposed fix for HBASE-2418, there must be a JAAS file specified in System.setProperty("java.security.auth.login.config").
> However, it might be preferable to construct a JAAS configuration programmatically, as is done with secure Hadoop (see https://github.com/apache/hadoop-common/blob/a48eceb62c9b5c1a5d71ee2945d9eea2ed62527b/src/java/org/apache/hadoop/security/UserGroupInformation.java#L175).
> This would have the benefit of avoiding a usage of a system property setting, and allow instead an HBase-local configuration setting.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-4791) Allow Secure Zookeeper JAAS
configuration to be programmatically set (rather than only by reading JAAS
configuration file)
Posted by "Aleksandr Shulman (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-4791?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13509869#comment-13509869 ]
Aleksandr Shulman commented on HBASE-4791:
------------------------------------------
Of this is too late for you, I'd be happy to reschedule to an earlier time.
-Aleks S.
--
Best Regards,
Aleks Shulman
847.814.5804
Cloudera
> Allow Secure Zookeeper JAAS configuration to be programmatically set (rather than only by reading JAAS configuration file)
> --------------------------------------------------------------------------------------------------------------------------
>
> Key: HBASE-4791
> URL: https://issues.apache.org/jira/browse/HBASE-4791
> Project: HBase
> Issue Type: Improvement
> Components: security, Zookeeper
> Reporter: Eugene Koontz
> Assignee: Matteo Bertozzi
> Labels: security, zookeeper
> Attachments: DemoConfig.java, HBASE-4791-v1.patch, HBASE-4791-v2.patch, HBASE-4791-v3.patch
>
>
> In the currently proposed fix for HBASE-2418, there must be a JAAS file specified in System.setProperty("java.security.auth.login.config").
> However, it might be preferable to construct a JAAS configuration programmatically, as is done with secure Hadoop (see https://github.com/apache/hadoop-common/blob/a48eceb62c9b5c1a5d71ee2945d9eea2ed62527b/src/java/org/apache/hadoop/security/UserGroupInformation.java#L175).
> This would have the benefit of avoiding a usage of a system property setting, and allow instead an HBase-local configuration setting.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-4791) Allow Secure Zookeeper JAAS
configuration to be programmatically set (rather than only by reading JAAS
configuration file)
Posted by "Matteo Bertozzi (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-4791?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13509802#comment-13509802 ]
Matteo Bertozzi commented on HBASE-4791:
----------------------------------------
[~saint.ack@gmail.com] good catch, "localhost" is not always right, do we have something to get the "default" localhost, or just InetAddress.getLocalHost().getHostName() is enough?
also it will be nice have this one in 0.94 too, since doesn't break the compatibility.
but we need to upgrade to zookeeper 3.4.5 (currently we're using 3.4.3)
> Allow Secure Zookeeper JAAS configuration to be programmatically set (rather than only by reading JAAS configuration file)
> --------------------------------------------------------------------------------------------------------------------------
>
> Key: HBASE-4791
> URL: https://issues.apache.org/jira/browse/HBASE-4791
> Project: HBase
> Issue Type: Improvement
> Components: security, Zookeeper
> Reporter: Eugene Koontz
> Assignee: Matteo Bertozzi
> Labels: security, zookeeper
> Attachments: DemoConfig.java, HBASE-4791-v1.patch, HBASE-4791-v2.patch, HBASE-4791-v3.patch
>
>
> In the currently proposed fix for HBASE-2418, there must be a JAAS file specified in System.setProperty("java.security.auth.login.config").
> However, it might be preferable to construct a JAAS configuration programmatically, as is done with secure Hadoop (see https://github.com/apache/hadoop-common/blob/a48eceb62c9b5c1a5d71ee2945d9eea2ed62527b/src/java/org/apache/hadoop/security/UserGroupInformation.java#L175).
> This would have the benefit of avoiding a usage of a system property setting, and allow instead an HBase-local configuration setting.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-4791) Allow Secure Zookeeper JAAS
configuration to be programmatically set (rather than only by reading JAAS
configuration file)
Posted by "Andrew Purtell (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-4791?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13407555#comment-13407555 ]
Andrew Purtell commented on HBASE-4791:
---------------------------------------
bq. The only properties are still keyTab.file and principal, just loginClient() function. If there's no keyTabFile you use the ticket cache.
... or if the keytab file property is null. +1 sounds good.
> Allow Secure Zookeeper JAAS configuration to be programmatically set (rather than only by reading JAAS configuration file)
> --------------------------------------------------------------------------------------------------------------------------
>
> Key: HBASE-4791
> URL: https://issues.apache.org/jira/browse/HBASE-4791
> Project: HBase
> Issue Type: Improvement
> Components: security, zookeeper
> Reporter: Eugene Koontz
> Assignee: Matteo Bertozzi
> Labels: security, zookeeper
> Attachments: DemoConfig.java, HBASE-4791-v1.patch, HBASE-4791-v2.patch
>
>
> In the currently proposed fix for HBASE-2418, there must be a JAAS file specified in System.setProperty("java.security.auth.login.config").
> However, it might be preferable to construct a JAAS configuration programmatically, as is done with secure Hadoop (see https://github.com/apache/hadoop-common/blob/a48eceb62c9b5c1a5d71ee2945d9eea2ed62527b/src/java/org/apache/hadoop/security/UserGroupInformation.java#L175).
> This would have the benefit of avoiding a usage of a system property setting, and allow instead an HBase-local configuration setting.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-4791) Allow Secure Zookeeper JAAS
configuration to be programmatically set (rather than only by reading JAAS
configuration file)
Posted by "Matteo Bertozzi (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-4791?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Matteo Bertozzi updated HBASE-4791:
-----------------------------------
Attachment: HBASE-4791-v3.patch
Now that ZOOKEEPER-1437 I think that we're ready to go with this one. I've rebased the patch and fixed some comments.
> Allow Secure Zookeeper JAAS configuration to be programmatically set (rather than only by reading JAAS configuration file)
> --------------------------------------------------------------------------------------------------------------------------
>
> Key: HBASE-4791
> URL: https://issues.apache.org/jira/browse/HBASE-4791
> Project: HBase
> Issue Type: Improvement
> Components: security, Zookeeper
> Reporter: Eugene Koontz
> Assignee: Matteo Bertozzi
> Labels: security, zookeeper
> Attachments: DemoConfig.java, HBASE-4791-v1.patch, HBASE-4791-v2.patch, HBASE-4791-v3.patch
>
>
> In the currently proposed fix for HBASE-2418, there must be a JAAS file specified in System.setProperty("java.security.auth.login.config").
> However, it might be preferable to construct a JAAS configuration programmatically, as is done with secure Hadoop (see https://github.com/apache/hadoop-common/blob/a48eceb62c9b5c1a5d71ee2945d9eea2ed62527b/src/java/org/apache/hadoop/security/UserGroupInformation.java#L175).
> This would have the benefit of avoiding a usage of a system property setting, and allow instead an HBase-local configuration setting.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-4791) Allow Secure Zookeeper JAAS
configuration to be programmatically set (rather than only by reading JAAS
configuration file)
Posted by "Laxman (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-4791?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13293797#comment-13293797 ]
Laxman commented on HBASE-4791:
-------------------------------
IMO, this requires a fix in zookeeper as it expects JAAS configuration provided as a system property in ZooKeeperSaslClient. Changing that may not be so easy due to following reason.
* ZooKeeper client doesn't expect any configuration. It just needs a quorum string. So, introducing a configuration may introduce compatability issue.
I filed a similar hard-coding related issue ZOOKEEPER-1467.
> Allow Secure Zookeeper JAAS configuration to be programmatically set (rather than only by reading JAAS configuration file)
> --------------------------------------------------------------------------------------------------------------------------
>
> Key: HBASE-4791
> URL: https://issues.apache.org/jira/browse/HBASE-4791
> Project: HBase
> Issue Type: Improvement
> Components: security, zookeeper
> Reporter: Eugene Koontz
> Assignee: Eugene Koontz
> Labels: security, zookeeper
> Attachments: HBASE-4791-v0.patch
>
>
> In the currently proposed fix for HBASE-2418, there must be a JAAS file specified in System.setProperty("java.security.auth.login.config").
> However, it might be preferable to construct a JAAS configuration programmatically, as is done with secure Hadoop (see https://github.com/apache/hadoop-common/blob/a48eceb62c9b5c1a5d71ee2945d9eea2ed62527b/src/java/org/apache/hadoop/security/UserGroupInformation.java#L175).
> This would have the benefit of avoiding a usage of a system property setting, and allow instead an HBase-local configuration setting.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-4791) Allow Secure Zookeeper JAAS
configuration to be programmatically set (rather than only by reading JAAS
configuration file)
Posted by "Matteo Bertozzi (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-4791?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Matteo Bertozzi updated HBASE-4791:
-----------------------------------
Attachment: HBASE-4791-v0.patch
I've attached a first draft patch that allows Master, Region Servers and Quorum Peer to be started without
{code}-Djava.security.auth.login.config=jaas.conf{code}
but using instead hbase-site.xml configuration
* hbase.zookeeper.client.keytab.file
* hbase.zookeeper.client.kerberos.principal
"Client" properties are used by HBase Master and Region Servers.
* hbase.zookeeper.server.keytab.file
* hbase.zookeeper.server.kerberos.principal
"Server" properties are used by Quorum Peer when zookeepe is not external.
Anyway you still need to specify the login.config -D option when you're using the hbase shell or your client application.
_Refactoring a bit hadoop.security.UserGroupInformation and extracting HadoopConfiguration, we can remove the JaasConfiguration code and simplify the ZK Login._
> Allow Secure Zookeeper JAAS configuration to be programmatically set (rather than only by reading JAAS configuration file)
> --------------------------------------------------------------------------------------------------------------------------
>
> Key: HBASE-4791
> URL: https://issues.apache.org/jira/browse/HBASE-4791
> Project: HBase
> Issue Type: Improvement
> Reporter: Eugene Koontz
> Assignee: Eugene Koontz
> Labels: security, zookeeper
> Attachments: HBASE-4791-v0.patch
>
>
> In the currently proposed fix for HBASE-2418, there must be a JAAS file specified in System.setProperty("java.security.auth.login.config").
> However, it might be preferable to construct a JAAS configuration programmatically, as is done with secure Hadoop (see https://github.com/apache/hadoop-common/blob/a48eceb62c9b5c1a5d71ee2945d9eea2ed62527b/src/java/org/apache/hadoop/security/UserGroupInformation.java#L175).
> This would have the benefit of avoiding a usage of a system property setting, and allow instead an HBase-local configuration setting.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira