[jira] [Commented] (OOZIE-2419) HBase credentials are not correctly proxied

Wed, 16 Dec 2015 23:46:56 -0800 

    [ 
https://issues.apache.org/jira/browse/OOZIE-2419?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15061668#comment-15061668
 ] 

Hadoop QA commented on OOZIE-2419:
----------------------------------

Testing JIRA OOZIE-2419

Cleaning local git workspace

----------------------------

{color:green}+1 PATCH_APPLIES{color}
{color:green}+1 CLEAN{color}
{color:red}-1 RAW_PATCH_ANALYSIS{color}
.    {color:green}+1{color} the patch does not introduce any @author tags
.    {color:green}+1{color} the patch does not introduce any tabs
.    {color:green}+1{color} the patch does not introduce any trailing spaces
.    {color:green}+1{color} the patch does not introduce any line longer than 
132
.    {color:red}-1{color} the patch does not add/modify any testcase
{color:green}+1 RAT{color}
.    {color:green}+1{color} the patch does not seem to introduce new RAT 
warnings
{color:green}+1 JAVADOC{color}
.    {color:green}+1{color} the patch does not seem to introduce new Javadoc 
warnings
{color:red}-1 COMPILE{color}
.    {color:green}+1{color} HEAD compiles
.    {color:red}-1{color} patch does not compile
.    {color:green}+1{color} the patch does not seem to introduce new javac 
warnings
{color:green}+1 BACKWARDS_COMPATIBILITY{color}
.    {color:green}+1{color} the patch does not change any JPA 
Entity/Colum/Basic/Lob/Transient annotations
.    {color:green}+1{color} the patch does not modify JPA files
{color:red}-1 TESTS{color} - patch does not compile, cannot run testcases
{color:red}-1 DISTRO{color}
.    {color:red}-1{color} distro tarball fails with the patch

----------------------------
{color:red}*-1 Overall result, please check the reported -1(s)*{color}


The full output of the test-patch run is available at

.   https://builds.apache.org/job/oozie-trunk-precommit-build/2684/

> HBase credentials are not correctly proxied
> -------------------------------------------
>
>                 Key: OOZIE-2419
>                 URL: https://issues.apache.org/jira/browse/OOZIE-2419
>             Project: Oozie
>          Issue Type: Bug
>    Affects Versions: 4.2.0
>            Reporter: Harsh J
>            Assignee: Harsh J
>         Attachments: OOZIE-2419.001.patch
>
>
> The method we are using for obtaining tokens from HBase in 
> HbaseCredentials.java does not appear to be proxying correctly. It obtains a 
> token for the Oozie server user instead of the proxied user, causing a 
> problem inside workflow actions that reference it.
> Here's a demonstration (the first method is how Oozie does it today, and the 
> second method is a more manual one which works correctly instead):
> {code}
> import org.apache.hadoop.hbase.HBaseConfiguration;
> import org.apache.hadoop.hbase.security.User;
> import org.apache.hadoop.hbase.security.token.AuthenticationTokenIdentifier;
> import org.apache.hadoop.hbase.security.token.TokenUtil;
> import org.apache.hadoop.mapred.JobConf;
> import org.apache.hadoop.security.UserGroupInformation;
> import org.apache.hadoop.security.token.Token;
> import org.apache.hadoop.security.token.TokenIdentifier;
> import java.security.PrivilegedAction;
> import java.security.PrivilegedExceptionAction;
> public class Main {
>     public static void main(String[] args) throws Exception {
>         String user = "harsh";
>         UserGroupInformation ugi =  
> UserGroupInformation.createProxyUser(user, 
> UserGroupInformation.getLoginUser());
>         User u = User.create(ugi);
>         JobConf conf = new JobConf(HBaseConfiguration.create());
>         u.obtainAuthTokenForJob(conf);
>         for (Token<? extends TokenIdentifier> token : 
> conf.getCredentials().getAllTokens()) {
>             System.out.println(token.getKind());
>             System.out.println(token.decodeIdentifier().getUser());
>         }
>         System.out.println();
>         final JobConf conf2 = new JobConf(HBaseConfiguration.create());
>         Token<AuthenticationTokenIdentifier> token = u.runAs(new 
> PrivilegedExceptionAction<Token<AuthenticationTokenIdentifier>>() {
>             public Token<AuthenticationTokenIdentifier> run() throws 
> Exception {
>                 return TokenUtil.obtainToken(conf2);
>             }
>         });
>         conf2.getCredentials().addToken(token.getService(), token);
>         for (Token<? extends TokenIdentifier> token2 : 
> conf2.getCredentials().getAllTokens()) {
>             System.out.println(token2.getKind());
>             System.out.println(token2.decodeIdentifier().getUser());
>         }
>     }
> }
> // kinit -kt oozie.keytab oozie/$(hostname -f)
> // javac -cp $(hbase classpath) Main.java
> // java -cp $PWD:$(hbase classpath) Main
> {code}
> This prints:
> {code}
> HBASE_AUTH_TOKEN
> [email protected] (auth:SIMPLE)
> HBASE_AUTH_TOKEN
> harsh (auth:SIMPLE)
> {code}
> The first token is identified as the server user, vs. the required proxied 
> user string.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to