You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hbase.apache.org by "Himanshu Vashishtha (JIRA)" <ji...@apache.org> on 2012/08/31 07:35:08 UTC
[jira] [Created] (HBASE-6699) Setting username in Connection in
non-secure HBase
Himanshu Vashishtha created HBASE-6699:
------------------------------------------
Summary: Setting username in Connection in non-secure HBase
Key: HBASE-6699
URL: https://issues.apache.org/jira/browse/HBASE-6699
Project: HBase
Issue Type: Improvement
Components: ipc
Affects Versions: 0.94.1, 0.94.0, 0.92.1, 0.92.0
Reporter: Himanshu Vashishtha
Fix For: 0.92.2, 0.94.2
We recently had a requirement where we need to log the information about various users who were using non-secure HBase cluster.
The user level logging is supported as part of security, but in 0.92, 0.94 security related code is separate. This jira is about adding that support in non-secure code.
This feature is already there in trunk, after we merge the security related code.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6699) Setting username in Connection in
non-secure HBase
Posted by "stack (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6699?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13445713#comment-13445713 ]
stack commented on HBASE-6699:
------------------------------
Seems odd defining constant PSEUDO_METHOD_NAME_TO_SET_USER up in HConstants when only used down in ipc package. Looks like something that should be defined in Invocation and you'd add method to Invocation asking if its a setUser invocation.
Indent if off for method callToSetUser
Does the callToSetUser w/ its new Invocation and Call have to happen always? Can it not be off and if needed, enabled by config? Would mean Lars would be more comfortable committing if default behavior was unchanged. Is it ok doing it this way for you lot?
Why change the way the comment is done?
{code}
- // See HBaseServer.Call.setResponse for where we write out the response.
- // It writes the call.id (int), a flag byte, then optionally the length
- // of the response (int) followed by data.
-
+ /**
+ * See {@link HBaseServer.Call#setResponse()} for where we write out the
+ * response. It writes the call.id (int), a flag byte, then optionally
+ * the length of the response (int) followed by data.
+ */
{code}
The javadoc commenting convention will never be interpreted as so in middle of method?
Is this log right?
{code}
+ LOG.error("Got exception while processing call with Id: " +id, e);
{code}
Did we used to just retry silently? If so, now our logs will have a bunch of LOG.error? Is LOG.error appropriate if retry (I may be off... just reading the patch, not looking at the patch context)
Where in HBaseServer do we actually make the Call after getting user name? I see us returning Void but this is an invocation just to set user name over on server?
> Setting username in Connection in non-secure HBase
> --------------------------------------------------
>
> Key: HBASE-6699
> URL: https://issues.apache.org/jira/browse/HBASE-6699
> Project: HBase
> Issue Type: Improvement
> Components: ipc
> Affects Versions: 0.92.0, 0.92.1, 0.94.0, 0.94.1
> Reporter: Himanshu Vashishtha
> Assignee: Himanshu Vashishtha
> Fix For: 0.92.3, 0.94.2
>
> Attachments: HBase-6699-v1.patch
>
>
> We recently had a requirement where we need to log the information about various users who were using non-secure HBase cluster.
> The user level logging is supported as part of security, but in 0.92, 0.94 security related code is separate. This jira is about adding that support in non-secure code.
> This feature is already there in trunk, after we merge the security related code.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-6699) Setting username in Connection in
non-secure HBase
Posted by "Ted Yu (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6699?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ted Yu updated HBASE-6699:
--------------------------
Fix Version/s: (was: 0.92.2)
0.92.3
> Setting username in Connection in non-secure HBase
> --------------------------------------------------
>
> Key: HBASE-6699
> URL: https://issues.apache.org/jira/browse/HBASE-6699
> Project: HBase
> Issue Type: Improvement
> Components: ipc
> Affects Versions: 0.92.0, 0.92.1, 0.94.0, 0.94.1
> Reporter: Himanshu Vashishtha
> Assignee: Himanshu Vashishtha
> Fix For: 0.92.3, 0.94.2
>
> Attachments: HBase-6699-v1.patch
>
>
> We recently had a requirement where we need to log the information about various users who were using non-secure HBase cluster.
> The user level logging is supported as part of security, but in 0.92, 0.94 security related code is separate. This jira is about adding that support in non-secure code.
> This feature is already there in trunk, after we merge the security related code.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6699) Setting username in Connection in
non-secure HBase
Posted by "Lars Hofhansl (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6699?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13446074#comment-13446074 ]
Lars Hofhansl commented on HBASE-6699:
--------------------------------------
So what is the username tied to. It's not an RPC (that would be inefficient anyway).
If it is tied to (TCP) Connection it means by extension it is tied to the HConection that issued the request, correct?
> Setting username in Connection in non-secure HBase
> --------------------------------------------------
>
> Key: HBASE-6699
> URL: https://issues.apache.org/jira/browse/HBASE-6699
> Project: HBase
> Issue Type: Improvement
> Components: ipc
> Affects Versions: 0.92.0, 0.92.1, 0.94.0, 0.94.1
> Reporter: Himanshu Vashishtha
> Assignee: Himanshu Vashishtha
> Fix For: 0.92.3, 0.94.2
>
> Attachments: HBase-6699-v1.patch
>
>
> We recently had a requirement where we need to log the information about various users who were using non-secure HBase cluster.
> The user level logging is supported as part of security, but in 0.92, 0.94 security related code is separate. This jira is about adding that support in non-secure code.
> This feature is already there in trunk, after we merge the security related code.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6699) Setting username in Connection in
non-secure HBase
Posted by "Himanshu Vashishtha (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6699?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13446151#comment-13446151 ]
Himanshu Vashishtha commented on HBASE-6699:
--------------------------------------------
Good point. Though, I wonder when a non-secure client will try to connect HBase with this setting. There will be a version mismatch (3 vs 4), and it looks like SecureServer.SecureConnection.rpcHeaderRead will remain false?
> Setting username in Connection in non-secure HBase
> --------------------------------------------------
>
> Key: HBASE-6699
> URL: https://issues.apache.org/jira/browse/HBASE-6699
> Project: HBase
> Issue Type: Improvement
> Components: ipc
> Affects Versions: 0.92.0, 0.92.1, 0.94.0, 0.94.1
> Reporter: Himanshu Vashishtha
> Assignee: Himanshu Vashishtha
> Fix For: 0.92.3, 0.94.3
>
> Attachments: HBase-6699-v1.patch
>
>
> We recently had a requirement where we need to log the information about various users who were using non-secure HBase cluster.
> The user level logging is supported as part of security, but in 0.92, 0.94 security related code is separate. This jira is about adding that support in non-secure code.
> This feature is already there in trunk, after we merge the security related code.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-6699) Setting username in Connection in
non-secure HBase
Posted by "Himanshu Vashishtha (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6699?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Himanshu Vashishtha updated HBASE-6699:
---------------------------------------
Attachment: HBase-6699-v1.patch
Attached! LarsH is lightening fast :)
> Setting username in Connection in non-secure HBase
> --------------------------------------------------
>
> Key: HBASE-6699
> URL: https://issues.apache.org/jira/browse/HBASE-6699
> Project: HBase
> Issue Type: Improvement
> Components: ipc
> Affects Versions: 0.92.0, 0.92.1, 0.94.0, 0.94.1
> Reporter: Himanshu Vashishtha
> Assignee: Himanshu Vashishtha
> Fix For: 0.92.2, 0.94.2
>
> Attachments: HBase-6699-v1.patch
>
>
> We recently had a requirement where we need to log the information about various users who were using non-secure HBase cluster.
> The user level logging is supported as part of security, but in 0.92, 0.94 security related code is separate. This jira is about adding that support in non-secure code.
> This feature is already there in trunk, after we merge the security related code.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6699) Setting username in Connection in
non-secure HBase
Posted by "stack (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6699?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13445722#comment-13445722 ]
stack commented on HBASE-6699:
------------------------------
bq. re: PSEUDO_METHOD_NAME_TO_SET_USER: We do have other references to HConstants though? For Cluster_ID?
I don't follow. HConstants is a bad pattern. Constants should be defined where they are used if possible.
bq. re: Comments: As I was reading the related code, i tried to use /**/ for multi line comments.
/** */ is for javadoc. This is not javadoc. In general, you should try to minimize your changes. Makes it easier getting your patches in.
bq. No, we just closed the connection if in this code path. This error is just to print which call made it so.
We failed silently w/ no other logging?
bq. re: HBaseServer: So, the username is set in RequestContext. Now, any code which wants to log can call this and get the username.
I suppose I don't get it. In every request context or just one time? Where is the actual request when we have this setuser trick going on?
> Setting username in Connection in non-secure HBase
> --------------------------------------------------
>
> Key: HBASE-6699
> URL: https://issues.apache.org/jira/browse/HBASE-6699
> Project: HBase
> Issue Type: Improvement
> Components: ipc
> Affects Versions: 0.92.0, 0.92.1, 0.94.0, 0.94.1
> Reporter: Himanshu Vashishtha
> Assignee: Himanshu Vashishtha
> Fix For: 0.92.3, 0.94.2
>
> Attachments: HBase-6699-v1.patch
>
>
> We recently had a requirement where we need to log the information about various users who were using non-secure HBase cluster.
> The user level logging is supported as part of security, but in 0.92, 0.94 security related code is separate. This jira is about adding that support in non-secure code.
> This feature is already there in trunk, after we merge the security related code.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6699) Setting username in Connection in
non-secure HBase
Posted by "Himanshu Vashishtha (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6699?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13445735#comment-13445735 ]
Himanshu Vashishtha commented on HBASE-6699:
--------------------------------------------
re: PSEUDO_METHOD_NAME_TO_SET_USER: Okay. Will remove it from HConstants.
re Comments: Yea, I used multi line ones and it gets converted to javadoc like one. Will revert it boss.
{code}
catch (IOException e) {
if (e instanceof SocketTimeoutException && remoteId.rpcTimeout > 0) {
// Clean up open calls but don't treat this as a fatal condition,
// since we expect certain responses to not make it by the specified
// {@link ConnectionId#rpcTimeout}.
closeException = e;
} else {
LOG.error("Got exception while processing call with Id: " +id, e);
// Since the server did not respond within the default ping interval
// time, treat this as a fatal condition and close this connection
markClosed(e);
}
finally {
if (remoteId.rpcTimeout > 0) {
cleanupCalls(remoteId.rpcTimeout);
}
{code}
We handle sockettimeout/rpctimeout; other exceptions are ignored. So, when new client issues a call to setUserNameInConnection, old server will throw a NoSuchMethodFound exception, which will be ignored by the client.
re: HBaseServer:
Sorry for not being clear enough. This is set in the connection.ticket attribute. Next time if a call comes from this connection, this ticket is used to set the user in RequestContext.
{code}
RequestContext.set(call.connection.ticket, getRemoteIp(), call.connection.protocol);
{code}
Any one interested can invoke RequestContext.getRequestUser().getUserName() or other such attrs of RequestContext. Hope it is clear now.
Hmmm, I tested it with hadoop 1.0.0 jar; will be good to know if it is to be tested with others too. Main thing to see is UGI.createRemoteUser doesn't give any unexpected result.
> Setting username in Connection in non-secure HBase
> --------------------------------------------------
>
> Key: HBASE-6699
> URL: https://issues.apache.org/jira/browse/HBASE-6699
> Project: HBase
> Issue Type: Improvement
> Components: ipc
> Affects Versions: 0.92.0, 0.92.1, 0.94.0, 0.94.1
> Reporter: Himanshu Vashishtha
> Assignee: Himanshu Vashishtha
> Fix For: 0.92.3, 0.94.2
>
> Attachments: HBase-6699-v1.patch
>
>
> We recently had a requirement where we need to log the information about various users who were using non-secure HBase cluster.
> The user level logging is supported as part of security, but in 0.92, 0.94 security related code is separate. This jira is about adding that support in non-secure code.
> This feature is already there in trunk, after we merge the security related code.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6699) Setting username in Connection in
non-secure HBase
Posted by "Himanshu Vashishtha (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6699?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13446108#comment-13446108 ]
Himanshu Vashishtha commented on HBASE-6699:
--------------------------------------------
yes, the username is tied to the Connection.
There is one extra rpc, to set/tie the username to the Connection, and is issued after sending the ConnectionHeader. It will be send one time whenever a connection is created (I will make it optional though, as Stack said). Its a non-blocking call to the server.
With the first approach I mentioned, we could have set it in the ConnectionHeader itself and avoided any extra rpc, but it will be a change in a Writable.
> Setting username in Connection in non-secure HBase
> --------------------------------------------------
>
> Key: HBASE-6699
> URL: https://issues.apache.org/jira/browse/HBASE-6699
> Project: HBase
> Issue Type: Improvement
> Components: ipc
> Affects Versions: 0.92.0, 0.92.1, 0.94.0, 0.94.1
> Reporter: Himanshu Vashishtha
> Assignee: Himanshu Vashishtha
> Fix For: 0.92.3, 0.94.2
>
> Attachments: HBase-6699-v1.patch
>
>
> We recently had a requirement where we need to log the information about various users who were using non-secure HBase cluster.
> The user level logging is supported as part of security, but in 0.92, 0.94 security related code is separate. This jira is about adding that support in non-secure code.
> This feature is already there in trunk, after we merge the security related code.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (HBASE-6699) Setting username in Connection in
non-secure HBase
Posted by "Himanshu Vashishtha (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6699?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Himanshu Vashishtha resolved HBASE-6699.
----------------------------------------
Resolution: Invalid
Confirmed with our internal users, and they are okay with using the hollow secure setup. Marking this as Invalid; In case there are other users, I will be happy to provide a revised patch.
Thanks to all for the reviews and suggestions.
> Setting username in Connection in non-secure HBase
> --------------------------------------------------
>
> Key: HBASE-6699
> URL: https://issues.apache.org/jira/browse/HBASE-6699
> Project: HBase
> Issue Type: Improvement
> Components: ipc
> Affects Versions: 0.92.0, 0.92.1, 0.94.0, 0.94.1
> Reporter: Himanshu Vashishtha
> Assignee: Himanshu Vashishtha
> Fix For: 0.92.3, 0.94.3
>
> Attachments: HBase-6699-v1.patch
>
>
> We recently had a requirement where we need to log the information about various users who were using non-secure HBase cluster.
> The user level logging is supported as part of security, but in 0.92, 0.94 security related code is separate. This jira is about adding that support in non-secure code.
> This feature is already there in trunk, after we merge the security related code.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Assigned] (HBASE-6699) Setting username in Connection in
non-secure HBase
Posted by "Himanshu Vashishtha (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6699?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Himanshu Vashishtha reassigned HBASE-6699:
------------------------------------------
Assignee: Himanshu Vashishtha
> Setting username in Connection in non-secure HBase
> --------------------------------------------------
>
> Key: HBASE-6699
> URL: https://issues.apache.org/jira/browse/HBASE-6699
> Project: HBase
> Issue Type: Improvement
> Components: ipc
> Affects Versions: 0.92.0, 0.92.1, 0.94.0, 0.94.1
> Reporter: Himanshu Vashishtha
> Assignee: Himanshu Vashishtha
> Fix For: 0.92.2, 0.94.2
>
>
> We recently had a requirement where we need to log the information about various users who were using non-secure HBase cluster.
> The user level logging is supported as part of security, but in 0.92, 0.94 security related code is separate. This jira is about adding that support in non-secure code.
> This feature is already there in trunk, after we merge the security related code.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6699) Setting username in Connection in
non-secure HBase
Posted by "Himanshu Vashishtha (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6699?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13445702#comment-13445702 ]
Himanshu Vashishtha commented on HBASE-6699:
--------------------------------------------
Yes, just used this opportunity to clean up some comments.
> Setting username in Connection in non-secure HBase
> --------------------------------------------------
>
> Key: HBASE-6699
> URL: https://issues.apache.org/jira/browse/HBASE-6699
> Project: HBase
> Issue Type: Improvement
> Components: ipc
> Affects Versions: 0.92.0, 0.92.1, 0.94.0, 0.94.1
> Reporter: Himanshu Vashishtha
> Assignee: Himanshu Vashishtha
> Fix For: 0.92.3, 0.94.2
>
> Attachments: HBase-6699-v1.patch
>
>
> We recently had a requirement where we need to log the information about various users who were using non-secure HBase cluster.
> The user level logging is supported as part of security, but in 0.92, 0.94 security related code is separate. This jira is about adding that support in non-secure code.
> This feature is already there in trunk, after we merge the security related code.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6699) Setting username in Connection in
non-secure HBase
Posted by "Lars Hofhansl (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6699?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13445698#comment-13445698 ]
Lars Hofhansl commented on HBASE-6699:
--------------------------------------
Heh...
I'll have to trust you on the RPC stuff. I don't know that code well.
The patch would be smaller without the comment changes (but they are fine).
Maybe somebody who knows the RPC better can have a look and give a +1. Andy? Todd?
Is this:
{code}
} else {
+ LOG.error("Got exception while processing call with Id: " +id, e);
// Since the server did not respond within the default ping interval
{code}
Needed for the patch?
> Setting username in Connection in non-secure HBase
> --------------------------------------------------
>
> Key: HBASE-6699
> URL: https://issues.apache.org/jira/browse/HBASE-6699
> Project: HBase
> Issue Type: Improvement
> Components: ipc
> Affects Versions: 0.92.0, 0.92.1, 0.94.0, 0.94.1
> Reporter: Himanshu Vashishtha
> Assignee: Himanshu Vashishtha
> Fix For: 0.92.3, 0.94.2
>
> Attachments: HBase-6699-v1.patch
>
>
> We recently had a requirement where we need to log the information about various users who were using non-secure HBase cluster.
> The user level logging is supported as part of security, but in 0.92, 0.94 security related code is separate. This jira is about adding that support in non-secure code.
> This feature is already there in trunk, after we merge the security related code.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-6699) Setting username in Connection in
non-secure HBase
Posted by "Lars Hofhansl (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6699?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Lars Hofhansl updated HBASE-6699:
---------------------------------
Fix Version/s: (was: 0.94.3)
(was: 0.92.3)
> Setting username in Connection in non-secure HBase
> --------------------------------------------------
>
> Key: HBASE-6699
> URL: https://issues.apache.org/jira/browse/HBASE-6699
> Project: HBase
> Issue Type: Improvement
> Components: ipc
> Affects Versions: 0.92.0, 0.92.1, 0.94.0, 0.94.1
> Reporter: Himanshu Vashishtha
> Assignee: Himanshu Vashishtha
> Attachments: HBase-6699-v1.patch
>
>
> We recently had a requirement where we need to log the information about various users who were using non-secure HBase cluster.
> The user level logging is supported as part of security, but in 0.92, 0.94 security related code is separate. This jira is about adding that support in non-secure code.
> This feature is already there in trunk, after we merge the security related code.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-6699) Setting username in Connection in
non-secure HBase
Posted by "Lars Hofhansl (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6699?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Lars Hofhansl updated HBASE-6699:
---------------------------------
Fix Version/s: (was: 0.94.2)
0.94.3
Since we're still discussing. Moving to 0.94.3.
> Setting username in Connection in non-secure HBase
> --------------------------------------------------
>
> Key: HBASE-6699
> URL: https://issues.apache.org/jira/browse/HBASE-6699
> Project: HBase
> Issue Type: Improvement
> Components: ipc
> Affects Versions: 0.92.0, 0.92.1, 0.94.0, 0.94.1
> Reporter: Himanshu Vashishtha
> Assignee: Himanshu Vashishtha
> Fix For: 0.92.3, 0.94.3
>
> Attachments: HBase-6699-v1.patch
>
>
> We recently had a requirement where we need to log the information about various users who were using non-secure HBase cluster.
> The user level logging is supported as part of security, but in 0.92, 0.94 security related code is separate. This jira is about adding that support in non-secure code.
> This feature is already there in trunk, after we merge the security related code.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6699) Setting username in Connection in
non-secure HBase
Posted by "Himanshu Vashishtha (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6699?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13445701#comment-13445701 ]
Himanshu Vashishtha commented on HBASE-6699:
--------------------------------------------
I added it as part of debugging and kept it as it might be of some use, in other cases? I can remove it if you say.
Yeah, let's wait for ipc experts.
> Setting username in Connection in non-secure HBase
> --------------------------------------------------
>
> Key: HBASE-6699
> URL: https://issues.apache.org/jira/browse/HBASE-6699
> Project: HBase
> Issue Type: Improvement
> Components: ipc
> Affects Versions: 0.92.0, 0.92.1, 0.94.0, 0.94.1
> Reporter: Himanshu Vashishtha
> Assignee: Himanshu Vashishtha
> Fix For: 0.92.3, 0.94.2
>
> Attachments: HBase-6699-v1.patch
>
>
> We recently had a requirement where we need to log the information about various users who were using non-secure HBase cluster.
> The user level logging is supported as part of security, but in 0.92, 0.94 security related code is separate. This jira is about adding that support in non-secure code.
> This feature is already there in trunk, after we merge the security related code.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6699) Setting username in Connection in
non-secure HBase
Posted by "Himanshu Vashishtha (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6699?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13445721#comment-13445721 ]
Himanshu Vashishtha commented on HBASE-6699:
--------------------------------------------
re: PSEUDO_METHOD_NAME_TO_SET_USER: We do have other references to HConstants though? For Cluster_ID?
re: indent: okay.
re: Config param: I am +0 on that. Will do.
re: Comments: As I was reading the related code, i tried to use /**/ for multi line comments.
bq. LOG.error("Got exception while processing call with Id: " +id, e);
No, we just closed the connection if in this code path. This error is just to print which call made it so.
re: HBaseServer: So, the username is set in RequestContext. Now, any code which wants to log can call this and get the username. For example, one can use AcessController (while using as a normal coprocessor).
> Setting username in Connection in non-secure HBase
> --------------------------------------------------
>
> Key: HBASE-6699
> URL: https://issues.apache.org/jira/browse/HBASE-6699
> Project: HBase
> Issue Type: Improvement
> Components: ipc
> Affects Versions: 0.92.0, 0.92.1, 0.94.0, 0.94.1
> Reporter: Himanshu Vashishtha
> Assignee: Himanshu Vashishtha
> Fix For: 0.92.3, 0.94.2
>
> Attachments: HBase-6699-v1.patch
>
>
> We recently had a requirement where we need to log the information about various users who were using non-secure HBase cluster.
> The user level logging is supported as part of security, but in 0.92, 0.94 security related code is separate. This jira is about adding that support in non-secure code.
> This feature is already there in trunk, after we merge the security related code.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6699) Setting username in Connection in
non-secure HBase
Posted by "Lars Hofhansl (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6699?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13445687#comment-13445687 ]
Lars Hofhansl commented on HBASE-6699:
--------------------------------------
I'm very interested in this as well.
If you have a patch ready I'm happy to put this into 0.94.2. Otherwise let's try 0.94.3.
> Setting username in Connection in non-secure HBase
> --------------------------------------------------
>
> Key: HBASE-6699
> URL: https://issues.apache.org/jira/browse/HBASE-6699
> Project: HBase
> Issue Type: Improvement
> Components: ipc
> Affects Versions: 0.92.0, 0.92.1, 0.94.0, 0.94.1
> Reporter: Himanshu Vashishtha
> Assignee: Himanshu Vashishtha
> Fix For: 0.92.2, 0.94.2
>
>
> We recently had a requirement where we need to log the information about various users who were using non-secure HBase cluster.
> The user level logging is supported as part of security, but in 0.92, 0.94 security related code is separate. This jira is about adding that support in non-secure code.
> This feature is already there in trunk, after we merge the security related code.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6699) Setting username in Connection in
non-secure HBase
Posted by "Gary Helmling (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6699?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13446156#comment-13446156 ]
Gary Helmling commented on HBASE-6699:
--------------------------------------
In the case of using SecureRpcEngine, the clients also need to be configured to use SecureRpcEngine. Clients using the default WritableRpcEngine would not be able to connect.
I just wanted to point out you can use SecureRpcEngine without kerberos auth to make use of the same existing user-level logging without any code changes (if I understand correctly what you're after).
> Setting username in Connection in non-secure HBase
> --------------------------------------------------
>
> Key: HBASE-6699
> URL: https://issues.apache.org/jira/browse/HBASE-6699
> Project: HBase
> Issue Type: Improvement
> Components: ipc
> Affects Versions: 0.92.0, 0.92.1, 0.94.0, 0.94.1
> Reporter: Himanshu Vashishtha
> Assignee: Himanshu Vashishtha
> Fix For: 0.92.3, 0.94.3
>
> Attachments: HBase-6699-v1.patch
>
>
> We recently had a requirement where we need to log the information about various users who were using non-secure HBase cluster.
> The user level logging is supported as part of security, but in 0.92, 0.94 security related code is separate. This jira is about adding that support in non-secure code.
> This feature is already there in trunk, after we merge the security related code.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6699) Setting username in Connection in
non-secure HBase
Posted by "Himanshu Vashishtha (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6699?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13445689#comment-13445689 ]
Himanshu Vashishtha commented on HBASE-6699:
--------------------------------------------
Here are the two approaches:
1) Change the ConnectionHeader so that it *actually* sets the User object, rather than just providing stubs to do so. This will change the Writable and then we need to do version number jugglery for compatibility.
2) Make a *pesudo call* to a non-existent method while creating the connection, and let the new server handle it by setting the connection.ticket to the requester. (Credit to Todd for this suggestion)
Attached is a patch with the second approach. I tested it with patched server versus unpatched client, and vice versa.
> Setting username in Connection in non-secure HBase
> --------------------------------------------------
>
> Key: HBASE-6699
> URL: https://issues.apache.org/jira/browse/HBASE-6699
> Project: HBase
> Issue Type: Improvement
> Components: ipc
> Affects Versions: 0.92.0, 0.92.1, 0.94.0, 0.94.1
> Reporter: Himanshu Vashishtha
> Assignee: Himanshu Vashishtha
> Fix For: 0.92.2, 0.94.2
>
>
> We recently had a requirement where we need to log the information about various users who were using non-secure HBase cluster.
> The user level logging is supported as part of security, but in 0.92, 0.94 security related code is separate. This jira is about adding that support in non-secure code.
> This feature is already there in trunk, after we merge the security related code.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6699) Setting username in Connection in
non-secure HBase
Posted by "Gary Helmling (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6699?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13446110#comment-13446110 ]
Gary Helmling commented on HBASE-6699:
--------------------------------------
So, after the header is written, the magic invocation is passed to set the username? That seems a little ugly. Seems like it would be simpler to just change ConnectionHeader to actually handle User (all the bit's are there, it just always uses "null"), though that would change the serialization of ConnectionHeader and not be back-compatible, so maybe that's out.
Getting back to the original issue, if the need is just to have username present without kerberos auth, couldn't you just use SecureRpcEngine with hbase.security.authentication set to "simple"? Then you would get usernames passed through for each connection, just without kerberos auth.
> Setting username in Connection in non-secure HBase
> --------------------------------------------------
>
> Key: HBASE-6699
> URL: https://issues.apache.org/jira/browse/HBASE-6699
> Project: HBase
> Issue Type: Improvement
> Components: ipc
> Affects Versions: 0.92.0, 0.92.1, 0.94.0, 0.94.1
> Reporter: Himanshu Vashishtha
> Assignee: Himanshu Vashishtha
> Fix For: 0.92.3, 0.94.2
>
> Attachments: HBase-6699-v1.patch
>
>
> We recently had a requirement where we need to log the information about various users who were using non-secure HBase cluster.
> The user level logging is supported as part of security, but in 0.92, 0.94 security related code is separate. This jira is about adding that support in non-secure code.
> This feature is already there in trunk, after we merge the security related code.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira