[jira] [Created] (HBASE-29599) Delegation token renewer name mismatch for S3 when using Ranger RAZ

Karthik Palanisamy (Jira) Tue, 16 Sep 2025 11:18:21 -0700

Karthik Palanisamy created HBASE-29599:
------------------------------------------


             Summary: Delegation token renewer name mismatch for S3 when using 
Ranger RAZ
                 Key: HBASE-29599
                 URL: https://issues.apache.org/jira/browse/HBASE-29599
             Project: HBase
          Issue Type: Bug
          Components: security
            Reporter: Karthik Palanisamy
         Attachments: Screenshot 2025-09-16 at 10.48.51 AM.png

{{org.apache.hadoop.hbase.security.token.FsDelegationToken#acquireDelegationToken}}
 currently passed hardcoded renewer name as {{{}"renewer"{}}}. This should be 
actual username or account name by the caller. This works fine for the hdfs 
filesystem, but fails for S3 when Ranger RAZ is enabled, because RAZ validates 
the renewer against the current user. These HBase codes that request delegation 
tokens need to be fixed.
 * HBase Table Export

 * SecureBulkLoad Manager

 * HFile Replicator

 * BulkLoad HFile Tool

!Screenshot 2025-09-16 at 10.48.51 AM.png!

Ranger RAZ pre-check: 
[RazS3ATokenRenewer.java#L146|https://github.infra.cloudera.com/jichen0919/ranger/blob/3bdca990f84da311d1527902acc8dc82f0d9527d/raz-hook-s3/src/main/java/org/apache/ranger/raz/hook/s3/RazS3ATokenRenewer.java#L146_]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (HBASE-29599) Delegation token renewer name mismatch for S3 when using Ranger RAZ

Reply via email to