[jira] [Created] (OOZIE-2419) HBase credentials are not correctly proxied

Fri, 11 Dec 2015 10:31:57 -0800 

Harsh J created OOZIE-2419:
------------------------------

             Summary: HBase credentials are not correctly proxied
                 Key: OOZIE-2419
                 URL: https://issues.apache.org/jira/browse/OOZIE-2419
             Project: Oozie
          Issue Type: Bug
            Reporter: Harsh J


The method we are using for obtaining tokens from HBase in 
HbaseCredentials.java does not appear to be proxying correctly. It obtains a 
token for the Oozie server user instead of the proxied user, causing a problem 
inside workflow actions that reference it.

Here's a demonstration (the first method is how Oozie does it today, and the 
second method is a more manual one which works correctly instead):

{code}
import org.apache.hadoop.hbase.HBaseConfiguration;
import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.hbase.security.token.AuthenticationTokenIdentifier;
import org.apache.hadoop.hbase.security.token.TokenUtil;
import org.apache.hadoop.mapred.JobConf;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.security.token.TokenIdentifier;

import java.security.PrivilegedAction;
import java.security.PrivilegedExceptionAction;

public class Main {
    public static void main(String[] args) throws Exception {
        String user = "harsh";

        UserGroupInformation ugi =  UserGroupInformation.createProxyUser(user, 
UserGroupInformation.getLoginUser());
        User u = User.create(ugi);

        JobConf conf = new JobConf(HBaseConfiguration.create());
        u.obtainAuthTokenForJob(conf);
        for (Token<? extends TokenIdentifier> token : 
conf.getCredentials().getAllTokens()) {
            System.out.println(token.getKind());
            System.out.println(token.decodeIdentifier().getUser());
        }

        System.out.println();

        final JobConf conf2 = new JobConf(HBaseConfiguration.create());
        Token<AuthenticationTokenIdentifier> token = u.runAs(new 
PrivilegedExceptionAction<Token<AuthenticationTokenIdentifier>>() {
            public Token<AuthenticationTokenIdentifier> run() throws Exception {
                return TokenUtil.obtainToken(conf2);
            }
        });
        conf2.getCredentials().addToken(token.getService(), token);
        for (Token<? extends TokenIdentifier> token2 : 
conf2.getCredentials().getAllTokens()) {
            System.out.println(token2.getKind());
            System.out.println(token2.decodeIdentifier().getUser());
        }
    }
}

// javac -cp $(hbase classpath) Main.java
// java -cp $PWD:$(hbase classpath) Main
{code}

This prints:

{code}
HBASE_AUTH_TOKEN
oo...@example.com (auth:SIMPLE)

HBASE_AUTH_TOKEN
harsh (auth:SIMPLE)
{code}

The first token is identified as the server user, vs. the required proxied user 
string.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to