You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hbase.apache.org by "Matteo Bertozzi (JIRA)" <ji...@apache.org> on 2016/04/09 00:20:25 UTC
[jira] [Commented] (HBASE-15622) Superusers does not consider the
keytab credentials
[ https://issues.apache.org/jira/browse/HBASE-15622?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15233062#comment-15233062 ]
Matteo Bertozzi commented on HBASE-15622:
-----------------------------------------
the consequence of having "hbase" user running the process and "hbasefoo" in the keytab are that hbase is "not able to startup" being not able to assign regions
Master
{noformat}
WARN org.apache.hadoop.hbase.master.RegionStates: Failed to open/close 1588230740
on hbase-4.cloudera,22101,1460146496108, set to FAILED_OPEN
{noformat}
RS
{noformat}
OpenRegionHandler: Failed open of region=hbase:meta,,1.1588230740, starting to roll back the global memstore size.
org.apache.hadoop.hbase.security.AccessDeniedException: User 'hbasefoo0is not system or super user.
{noformat}
> Superusers does not consider the keytab credentials
> ---------------------------------------------------
>
> Key: HBASE-15622
> URL: https://issues.apache.org/jira/browse/HBASE-15622
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 2.0.0, 1.2.0, 1.3.0, 1.1.4, 0.98.16.1
> Reporter: Matteo Bertozzi
>
> After HBASE-13755 the superuser we add by default (the process running hbase) does not take in consideration the keytab credential.
> We have an env with the process user being hbase and the keytab being hbasefoo.
> from Superusers TRACE I see, the hbase being picked up
> {noformat}
> TRACE Superusers: Current user name is hbase
> {noformat}
> from the RS audit I see the hbasefoo making requests
> {noformat}
> "allowed":true,"serviceName":"HBASE-1","username":"hbasefoo...
> {noformat}
> looking at the code in HRegionServer we do
> {code}
> public HRegionServer(Configuration conf, CoordinatedStateManager csm)
> throws IOException {
> ...
> this.userProvider = UserProvider.instantiate(conf);
> Superusers.initialize(conf);
> ..
> // login the server principal (if using secure Hadoop)
> login(userProvider, hostName);
> ..
> {code}
> Before HBASE-13755 we were initializing the super user in the ACL coprocessor, so after the login. but now we do that before the login.
> I'm not sure if we can just move the Superuser.initialize() after the login [~mantonov]?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)