Nihal Jain created HBASE-29144:
----------------------------------
Summary: Client request fails for KERBEROS with rpc based
ConnectionRegistry
Key: HBASE-29144
URL: https://issues.apache.org/jira/browse/HBASE-29144
Project: HBase
Issue Type: Improvement
Reporter: Nihal Jain
After setting up an HBase-3 cluster with Kerberos, I was unable to list tables.
Upon investigation, I found that the following default configuration in HBase-3
does not work as expected:
{noformat}
hbase.client.registry.impl=org.apache.hadoop.hbase.client.ZKConnectionRegistry{noformat}
With HBASE-25051, we now create the configuration in the following manner in
_{{}}_
[_ConnectionRegistryRpcStubHolder_|https://github.com/apache/hbase/blob/a5666c085844307e694025ddc7ac710e017b3edf/hbase-client/src/main/java/org/apache/hadoop/hbase/client/ConnectionRegistryRpcStubHolder.java#L80]
{code:java}
this.noAuthConf.set(User.HBASE_SECURITY_CONF_KEY, "simple"); {code}
*Reason*
{quote}We implement a new way to get information from a server through
different rpc preamble headers, and use it to get the cluster id before
actually setting up the secure rpc client.
{quote}
*Problem*
We have a method to get a singleton instance via
[_SaslClientAuthenticationProviders#getInstance()_|https://github.com/apache/hbase/blob/a5666c085844307e694025ddc7ac710e017b3edf/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/SaslClientAuthenticationProviders.java#L76]{{{{}}{}}}
and hence we end up calling
[{_}BuiltInProviderSelector#configure({_})|https://github.com/apache/hbase/blob/a5666c085844307e694025ddc7ac710e017b3edf/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/BuiltInProviderSelector.java#L60]
with the above {{{}noAuthConf{}}}, thus initializing the variable
_[BuiltInProviderSelector.conf|https://github.com/apache/hbase/blob/a5666c085844307e694025ddc7ac710e017b3edf/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/BuiltInProviderSelector.java#L53]_
with this no-auth config.
Any subsequent calls fail to connect during
[_BuiltInProviderSelector#selectProvider()_|https://github.com/apache/hbase/blob/a5666c085844307e694025ddc7ac710e017b3edf/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/BuiltInProviderSelector.java#L104C1-L107C6]
due to the following configuration check:
{code:java}
// Superfluous: we don't do SIMPLE auth over SASL, but we should to
simplify.
if (!User.isHBaseSecurityEnabled(conf)) {
return new Pair<>(simpleAuth, null);
} {code}
We end up returning a simple auth instance.
*Possible Solutions*
# Remove the above check from
[_BuiltInProviderSelector#selectProvider(),_|https://github.com/apache/hbase/blob/a5666c085844307e694025ddc7ac710e017b3edf/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/BuiltInProviderSelector.java#L104C1-L107C6]
if it is unnecessary. (Tried locally works, not sure about side effects, if
any)
# Ensure the singleton instance is re-initialized with the correct
configuration so that it is not set with SIMPLE.
CC: [~zhangduo]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
