[
https://issues.apache.org/jira/browse/OOZIE-2419?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15055530#comment-15055530
]
Harsh J commented on OOZIE-2419:
--------------------------------
Thanks Robert, I went back and checked and the credentials does work as
intended on HBase 0.98, it seems broken from HBase 1.0, so it does appear to be
an upstream regression. Should we instead report this with the HBase project
and receive a fix?
The doAs approach works OK on both versions, however.
> HBase credentials are not correctly proxied
> -------------------------------------------
>
> Key: OOZIE-2419
> URL: https://issues.apache.org/jira/browse/OOZIE-2419
> Project: Oozie
> Issue Type: Bug
> Reporter: Harsh J
>
> The method we are using for obtaining tokens from HBase in
> HbaseCredentials.java does not appear to be proxying correctly. It obtains a
> token for the Oozie server user instead of the proxied user, causing a
> problem inside workflow actions that reference it.
> Here's a demonstration (the first method is how Oozie does it today, and the
> second method is a more manual one which works correctly instead):
> {code}
> import org.apache.hadoop.hbase.HBaseConfiguration;
> import org.apache.hadoop.hbase.security.User;
> import org.apache.hadoop.hbase.security.token.AuthenticationTokenIdentifier;
> import org.apache.hadoop.hbase.security.token.TokenUtil;
> import org.apache.hadoop.mapred.JobConf;
> import org.apache.hadoop.security.UserGroupInformation;
> import org.apache.hadoop.security.token.Token;
> import org.apache.hadoop.security.token.TokenIdentifier;
> import java.security.PrivilegedAction;
> import java.security.PrivilegedExceptionAction;
> public class Main {
> public static void main(String[] args) throws Exception {
> String user = "harsh";
> UserGroupInformation ugi =
> UserGroupInformation.createProxyUser(user,
> UserGroupInformation.getLoginUser());
> User u = User.create(ugi);
> JobConf conf = new JobConf(HBaseConfiguration.create());
> u.obtainAuthTokenForJob(conf);
> for (Token<? extends TokenIdentifier> token :
> conf.getCredentials().getAllTokens()) {
> System.out.println(token.getKind());
> System.out.println(token.decodeIdentifier().getUser());
> }
> System.out.println();
> final JobConf conf2 = new JobConf(HBaseConfiguration.create());
> Token<AuthenticationTokenIdentifier> token = u.runAs(new
> PrivilegedExceptionAction<Token<AuthenticationTokenIdentifier>>() {
> public Token<AuthenticationTokenIdentifier> run() throws
> Exception {
> return TokenUtil.obtainToken(conf2);
> }
> });
> conf2.getCredentials().addToken(token.getService(), token);
> for (Token<? extends TokenIdentifier> token2 :
> conf2.getCredentials().getAllTokens()) {
> System.out.println(token2.getKind());
> System.out.println(token2.decodeIdentifier().getUser());
> }
> }
> }
> // kinit -kt oozie.keytab oozie/$(hostname -f)
> // javac -cp $(hbase classpath) Main.java
> // java -cp $PWD:$(hbase classpath) Main
> {code}
> This prints:
> {code}
> HBASE_AUTH_TOKEN
> [email protected] (auth:SIMPLE)
> HBASE_AUTH_TOKEN
> harsh (auth:SIMPLE)
> {code}
> The first token is identified as the server user, vs. the required proxied
> user string.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
