Harsh J created OOZIE-2419: ------------------------------ Summary: HBase credentials are not correctly proxied Key: OOZIE-2419 URL: https://issues.apache.org/jira/browse/OOZIE-2419 Project: Oozie Issue Type: Bug Reporter: Harsh J
The method we are using for obtaining tokens from HBase in HbaseCredentials.java does not appear to be proxying correctly. It obtains a token for the Oozie server user instead of the proxied user, causing a problem inside workflow actions that reference it. Here's a demonstration (the first method is how Oozie does it today, and the second method is a more manual one which works correctly instead): {code} import org.apache.hadoop.hbase.HBaseConfiguration; import org.apache.hadoop.hbase.security.User; import org.apache.hadoop.hbase.security.token.AuthenticationTokenIdentifier; import org.apache.hadoop.hbase.security.token.TokenUtil; import org.apache.hadoop.mapred.JobConf; import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.token.Token; import org.apache.hadoop.security.token.TokenIdentifier; import java.security.PrivilegedAction; import java.security.PrivilegedExceptionAction; public class Main { public static void main(String[] args) throws Exception { String user = "harsh"; UserGroupInformation ugi = UserGroupInformation.createProxyUser(user, UserGroupInformation.getLoginUser()); User u = User.create(ugi); JobConf conf = new JobConf(HBaseConfiguration.create()); u.obtainAuthTokenForJob(conf); for (Token<? extends TokenIdentifier> token : conf.getCredentials().getAllTokens()) { System.out.println(token.getKind()); System.out.println(token.decodeIdentifier().getUser()); } System.out.println(); final JobConf conf2 = new JobConf(HBaseConfiguration.create()); Token<AuthenticationTokenIdentifier> token = u.runAs(new PrivilegedExceptionAction<Token<AuthenticationTokenIdentifier>>() { public Token<AuthenticationTokenIdentifier> run() throws Exception { return TokenUtil.obtainToken(conf2); } }); conf2.getCredentials().addToken(token.getService(), token); for (Token<? extends TokenIdentifier> token2 : conf2.getCredentials().getAllTokens()) { System.out.println(token2.getKind()); System.out.println(token2.decodeIdentifier().getUser()); } } } // javac -cp $(hbase classpath) Main.java // java -cp $PWD:$(hbase classpath) Main {code} This prints: {code} HBASE_AUTH_TOKEN oo...@example.com (auth:SIMPLE) HBASE_AUTH_TOKEN harsh (auth:SIMPLE) {code} The first token is identified as the server user, vs. the required proxied user string. -- This message was sent by Atlassian JIRA (v6.3.4#6332)