You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@storm.apache.org by "Sandeep Nemuri (JIRA)" <ji...@apache.org> on 2017/06/22 15:00:00 UTC

[jira] [Commented] (STORM-1647) AutoHBase doesn't send delegation token

    [ https://issues.apache.org/jira/browse/STORM-1647?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16059501#comment-16059501 ] 

Sandeep Nemuri commented on STORM-1647:
---------------------------------------

Log says AccessDeniedException , We'd need to grant permissions in hbase for this user to access the table.

> AutoHBase doesn't send delegation token
> ---------------------------------------
>
>                 Key: STORM-1647
>                 URL: https://issues.apache.org/jira/browse/STORM-1647
>             Project: Apache Storm
>          Issue Type: Bug
>    Affects Versions: 0.10.0
>            Reporter: Matt McDowell
>
> When submitting a topology, Nimbus appears to pick up the delegation tokens as expected (the second log line is a call I added for testing this):
> {code:title=nimbus.log}
> 2016-03-22 12:54:55.159 o.a.s.h.s.AutoHBase [INFO] Logged into Hbase as principal = storm@MIST.COGNITIVESYSTEMS.COM
> 2016-03-22 12:54:55.160 o.a.s.h.s.AutoHBase [INFO] AutoHBase proxyUser: flurry@MIST.COGNITIVESYSTEMS.COM (auth:PROXY) via storm@MIST.COGNITIVESYSTEMS.COM (auth:KERBEROS)
> 2016-03-22 12:54:55.971 o.a.s.h.s.AutoHBase [INFO] Obtained HBase tokens, adding to user credentials.
> {code}
> However, when my bolt starts up, it attempts to write to HBASE as storm instead of flurry:
> {code:title=Flurry-1-1458664951-worker-6700.log}
> 2016-03-22 16:48:10.506 b.s.d.executor [ERROR] 
> org.apache.hadoop.hbase.client.RetriesExhaustedWithDetailsException: Failed 1 action: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions (user=storm@MIST.COGNITIVESYSTEMS.COM, scope=########, family=##############, params=[table=########,family=########],action=WRITE)
> {code}
> if I go into SecurityAuth.audit, the HBASE regionserver receives a simple token instead of a proxy token:
> {code:title=SecurityAuth.audit}
> 2016-03-22 16:55:20,903 INFO SecurityLogger.org.apache.hadoop.hbase.Server: Connection from ##.##.##.## port: 35551 with unknown version info
> 2016-03-22 16:55:20,903 INFO SecurityLogger.org.apache.hadoop.security.authorize.ServiceAuthorizationManager: Authorization successful for storm@MIST.COGNITIVESYSTEMS.COM (auth:TOKEN) for protocol=interface org.apache.hadoop.hbase.protobuf.generated.ClientProtos$ClientService$BlockingInterface
> {code}
> For reference, core-site.xml:
> {code:title=core-site.xml}
> hadoop.proxyuser.storm.groups = flurry
> hadoop.proxyuser.storm.hosts = *
> {code}
> And storm.yaml:
> {code:title=storm.yaml}
> hbase.kerberos.principal : 'storm@MIST.COGNITIVESYSTEMS.COM'
> hbase.keytab.file : '/etc/security/keytabs/storm.headless.keytab'
> nimbus.autocredential.plugins.classes : ['org.apache.storm.hbase.security.AutoHBase']
> nimbus.credential.renewers.classes : ['org.apache.storm.hbase.security.AutoHBase']
> nimbus.credential.renewers.freq.secs : 82800
> {code}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)