You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hbase.apache.org by "Matteo Bertozzi (JIRA)" <ji...@apache.org> on 2016/04/09 00:05:25 UTC
[jira] [Created] (HBASE-15622) Superusers does not consider the
keytab credentials
Matteo Bertozzi created HBASE-15622:
---------------------------------------
Summary: Superusers does not consider the keytab credentials
Key: HBASE-15622
URL: https://issues.apache.org/jira/browse/HBASE-15622
Project: HBase
Issue Type: Bug
Components: security
Affects Versions: 0.98.16.1, 1.1.4, 1.2.0, 2.0.0, 1.3.0
Reporter: Matteo Bertozzi
After HBASE-13755 the superuser we add by default (the process running hbase) does not take in consideration the keytab credential.
We have an env with the process user being hbase and the keytab being hbasefoo.
from Superusers TRACE I see, the hbase being picked up
{noformat}
TRACE Superusers: Current user name is hbase
{noformat}
from the RS audit I see the hbasefoo making requests
{noformat}
"allowed":true,"serviceName":"HBASE-1","username":"hbasefoo...
{noformat}
looking at the code in HRegionServer we do
{code}
public HRegionServer(Configuration conf, CoordinatedStateManager csm)
throws IOException {
...
this.userProvider = UserProvider.instantiate(conf);
Superusers.initialize(conf);
..
// login the server principal (if using secure Hadoop)
login(userProvider, hostName);
..
{code}
Before HBASE-13755 we were initializing the super user in the ACL coprocessor, so after the login. but now we do that before the login.
I'm not sure if we can just move the Superuser.initialize() after the login [~mantonov]?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)