You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@hbase.apache.org by "Matteo Bertozzi (JIRA)" <ji...@apache.org> on 2016/04/09 00:20:25 UTC

[jira] [Commented] (HBASE-15622) Superusers does not consider the keytab credentials

    [ https://issues.apache.org/jira/browse/HBASE-15622?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15233062#comment-15233062 ] 

Matteo Bertozzi commented on HBASE-15622:
-----------------------------------------

the consequence of having "hbase" user running the process and "hbasefoo" in the keytab are that hbase is "not able to startup" being not able to assign regions

Master
{noformat}
WARN org.apache.hadoop.hbase.master.RegionStates: Failed to open/close 1588230740 
on hbase-4.cloudera,22101,1460146496108, set to FAILED_OPEN
{noformat}

RS
{noformat}
OpenRegionHandler: Failed open of region=hbase:meta,,1.1588230740, starting to roll back the global memstore size.
org.apache.hadoop.hbase.security.AccessDeniedException: User 'hbasefoo0is not system or super user.
{noformat}

> Superusers does not consider the keytab credentials
> ---------------------------------------------------
>
>                 Key: HBASE-15622
>                 URL: https://issues.apache.org/jira/browse/HBASE-15622
>             Project: HBase
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.0.0, 1.2.0, 1.3.0, 1.1.4, 0.98.16.1
>            Reporter: Matteo Bertozzi
>
> After HBASE-13755 the superuser we add by default (the process running hbase) does not take in consideration the keytab credential.
> We have an env with the process user being hbase and the keytab being hbasefoo.
> from Superusers TRACE I see, the hbase being picked up
> {noformat}
> TRACE Superusers: Current user name is hbase
> {noformat}
> from the RS audit I see the hbasefoo making requests
> {noformat}
> "allowed":true,"serviceName":"HBASE-1","username":"hbasefoo...
> {noformat}
> looking at the code in HRegionServer we do 
> {code}
> public HRegionServer(Configuration conf, CoordinatedStateManager csm)
>       throws IOException {
>    ...
>     this.userProvider = UserProvider.instantiate(conf);
>     Superusers.initialize(conf);
>    ..
>    // login the server principal (if using secure Hadoop)
>     login(userProvider, hostName);
>   ..
> {code}
> Before HBASE-13755 we were initializing the super user in the ACL coprocessor, so after the login. but now we do that before the login.
> I'm not sure if we can just move the Superuser.initialize() after the login [~mantonov]?



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)