[
https://issues.apache.org/jira/browse/OOZIE-2419?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15055200#comment-15055200
]
Robert Kanter commented on OOZIE-2419:
--------------------------------------
Interesting. Putting it in a {{doAs}} makes sense. I'm pretty sure the
original code was returning the user at some point though. I wonder if maybe
something changed on the HBase side at some point and the original code was
(incorrectly) working before and they fixed it.
In any case, we should do the correct way here.
> HBase credentials are not correctly proxied
> -------------------------------------------
>
> Key: OOZIE-2419
> URL: https://issues.apache.org/jira/browse/OOZIE-2419
> Project: Oozie
> Issue Type: Bug
> Reporter: Harsh J
>
> The method we are using for obtaining tokens from HBase in
> HbaseCredentials.java does not appear to be proxying correctly. It obtains a
> token for the Oozie server user instead of the proxied user, causing a
> problem inside workflow actions that reference it.
> Here's a demonstration (the first method is how Oozie does it today, and the
> second method is a more manual one which works correctly instead):
> {code}
> import org.apache.hadoop.hbase.HBaseConfiguration;
> import org.apache.hadoop.hbase.security.User;
> import org.apache.hadoop.hbase.security.token.AuthenticationTokenIdentifier;
> import org.apache.hadoop.hbase.security.token.TokenUtil;
> import org.apache.hadoop.mapred.JobConf;
> import org.apache.hadoop.security.UserGroupInformation;
> import org.apache.hadoop.security.token.Token;
> import org.apache.hadoop.security.token.TokenIdentifier;
> import java.security.PrivilegedAction;
> import java.security.PrivilegedExceptionAction;
> public class Main {
> public static void main(String[] args) throws Exception {
> String user = "harsh";
> UserGroupInformation ugi =
> UserGroupInformation.createProxyUser(user,
> UserGroupInformation.getLoginUser());
> User u = User.create(ugi);
> JobConf conf = new JobConf(HBaseConfiguration.create());
> u.obtainAuthTokenForJob(conf);
> for (Token<? extends TokenIdentifier> token :
> conf.getCredentials().getAllTokens()) {
> System.out.println(token.getKind());
> System.out.println(token.decodeIdentifier().getUser());
> }
> System.out.println();
> final JobConf conf2 = new JobConf(HBaseConfiguration.create());
> Token<AuthenticationTokenIdentifier> token = u.runAs(new
> PrivilegedExceptionAction<Token<AuthenticationTokenIdentifier>>() {
> public Token<AuthenticationTokenIdentifier> run() throws
> Exception {
> return TokenUtil.obtainToken(conf2);
> }
> });
> conf2.getCredentials().addToken(token.getService(), token);
> for (Token<? extends TokenIdentifier> token2 :
> conf2.getCredentials().getAllTokens()) {
> System.out.println(token2.getKind());
> System.out.println(token2.decodeIdentifier().getUser());
> }
> }
> }
> // kinit -kt oozie.keytab oozie/$(hostname -f)
> // javac -cp $(hbase classpath) Main.java
> // java -cp $PWD:$(hbase classpath) Main
> {code}
> This prints:
> {code}
> HBASE_AUTH_TOKEN
> [email protected] (auth:SIMPLE)
> HBASE_AUTH_TOKEN
> harsh (auth:SIMPLE)
> {code}
> The first token is identified as the server user, vs. the required proxied
> user string.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
