You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@hbase.apache.org by "Matteo Bertozzi (JIRA)" <ji...@apache.org> on 2016/04/09 00:05:25 UTC

[jira] [Created] (HBASE-15622) Superusers does not consider the keytab credentials

Matteo Bertozzi created HBASE-15622:
---------------------------------------

             Summary: Superusers does not consider the keytab credentials
                 Key: HBASE-15622
                 URL: https://issues.apache.org/jira/browse/HBASE-15622
             Project: HBase
          Issue Type: Bug
          Components: security
    Affects Versions: 0.98.16.1, 1.1.4, 1.2.0, 2.0.0, 1.3.0
            Reporter: Matteo Bertozzi


After HBASE-13755 the superuser we add by default (the process running hbase) does not take in consideration the keytab credential.

We have an env with the process user being hbase and the keytab being hbasefoo.
from Superusers TRACE I see, the hbase being picked up
{noformat}
TRACE Superusers: Current user name is hbase
{noformat}
from the RS audit I see the hbasefoo making requests
{noformat}
"allowed":true,"serviceName":"HBASE-1","username":"hbasefoo...
{noformat}

looking at the code in HRegionServer we do 
{code}
public HRegionServer(Configuration conf, CoordinatedStateManager csm)
      throws IOException {
   ...
    this.userProvider = UserProvider.instantiate(conf);
    Superusers.initialize(conf);
   ..
   // login the server principal (if using secure Hadoop)
    login(userProvider, hostName);
  ..
{code}
Before HBASE-13755 we were initializing the super user in the ACL coprocessor, so after the login. but now we do that before the login.

I'm not sure if we can just move the Superuser.initialize() after the login [~mantonov]?



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)