[jira] [Resolved] (HBASE-11089) Use proxy user for security integration test where multiple users are needed

[Andrew Purtell (JIRA)]

     [ 
https://issues.apache.org/jira/browse/HBASE-11089?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Andrew Purtell resolved HBASE-11089.
------------------------------------

    Resolution: Duplicate

Dup of HBASE-10831, but let me carry this over there.

> Use proxy user for security integration test where multiple users are needed
> ----------------------------------------------------------------------------
>
>                 Key: HBASE-11089
>                 URL: https://issues.apache.org/jira/browse/HBASE-11089
>             Project: HBase
>          Issue Type: Task
>            Reporter: Ted Yu
>
> We have seen the following test failure:
> {code}
> 2014-02-06 02:58:25,315|beaver.machine|INFO|RUNNING: /usr/bin/kinit -c 
> /grid/0/hadoopqe/artifacts/kerberosTickets/hbase.kerberos.ticket -k -t 
> /home/hrt_qa/hadoopqa/keytabs/hbase.headless.keytab hbase
> 2014-02-06 02:58:25,325|beaver.machine|INFO|RUNNING: /usr/lib/hbase/bin/hbase 
> --config /tmp/hbaseConf org.apache.hadoop.hbase.IntegrationTestsDriver -regex 
> IntegrationTestIngestWithACL
> 2014-02-06 02:58:34,489|beaver.machine|INFO|2014-02-06 02:58:34,489 DEBUG 
> HBaseWriterThreadWithACL_1 token.AuthenticationTokenSelector: No matching 
> token found
> 2014-02-06 02:58:34,493|beaver.machine|INFO|2014-02-06 02:58:34,489 DEBUG 
> HBaseWriterThreadWithACL_1 security.HBaseSaslRpcClient: Creating SASL GSSAPI 
> client. Server's Kerberos principal name is 
> hbase/h2-ubuntu12-sec-1391405488-hbase-7.cs1cloud.inter...@example.com
> 2014-02-06 02:58:34,493|beaver.machine|INFO|2014-02-06 02:58:34,491 WARN 
> HBaseWriterThreadWithACL_1 security.UserGroupInformation: 
> PriviledgedActionException as:owner (auth:SIMPLE) 
> cause:javax.security.sasl.SaslException: GSS initiate failed Caused by 
> GSSException: No valid credentials provided (Mechanism level: Failed to find 
> any Kerberos tgt)
> 2014-02-06 02:58:34,493|beaver.machine|INFO|2014-02-06 02:58:34,492 WARN 
> HBaseWriterThreadWithACL_1 ipc.RpcClient: Exception encountered while 
> connecting to the server : javax.security.sasl.SaslException: GSS initiate 
> failed Caused by GSSException: No valid credentials provided (Mechanism 
> level: Failed to find any Kerberos tgt)
> 2014-02-06 02:58:34,498|beaver.machine|INFO|2014-02-06 02:58:34,493 FATAL 
> HBaseWriterThreadWithACL_1 ipc.RpcClient: SASL authentication failed. The 
> most likely cause is missing or invalid credentials. Consider 'kinit'.
> 2014-02-06 
> 02:58:34,499|beaver.machine|INFO|javax.security.sasl.SaslException: GSS 
> initiate failed Caused by GSSException: No valid credentials provided 
> (Mechanism level: Failed to find any Kerberos tgt)
> 2014-02-06 02:58:34,499|beaver.machine|INFO|at 
> com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:194)
> 2014-02-06 02:58:34,499|beaver.machine|INFO|at 
> org.apache.hadoop.hbase.security.HBaseSaslRpcClient.saslConnect(HBaseSaslRpcClient.java:152)
> 2014-02-06 02:58:34,500|beaver.machine|INFO|at 
> org.apache.hadoop.hbase.ipc.RpcClient$Connection.setupSaslConnection(RpcClient.java:762)
> {code}
> The above test failure was due to the second user in the test not being able 
> to authenticate using kerberos.
> This can be solved using impersonation which is described here : 
> http://hadoop.apache.org/docs/r1.2.1/Secure_Impersonation.html
> The superuser needs to authenticate using kerberos. The superuser can 
> impersonate any member of the specified groups.



--
This message was sent by Atlassian JIRA
(v6.2#6252)