[
https://issues.apache.org/jira/browse/OOZIE-2419?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15073338#comment-15073338
]
Harsh J commented on OOZIE-2419:
--------------------------------
It was added with 0.92 onwards, but Oozie still supports 0.90 which didn't have
these token APIs. I'll take a closer look in HBase to see if there's another
way that works for both equally well.
> HBase credentials are not correctly proxied
> -------------------------------------------
>
> Key: OOZIE-2419
> URL: https://issues.apache.org/jira/browse/OOZIE-2419
> Project: Oozie
> Issue Type: Bug
> Affects Versions: 4.2.0
> Reporter: Harsh J
> Assignee: Harsh J
> Attachments: OOZIE-2419.001.patch
>
>
> The method we are using for obtaining tokens from HBase in
> HbaseCredentials.java does not appear to be proxying correctly. It obtains a
> token for the Oozie server user instead of the proxied user, causing a
> problem inside workflow actions that reference it.
> Here's a demonstration (the first method is how Oozie does it today, and the
> second method is a more manual one which works correctly instead):
> {code}
> import org.apache.hadoop.hbase.HBaseConfiguration;
> import org.apache.hadoop.hbase.security.User;
> import org.apache.hadoop.hbase.security.token.AuthenticationTokenIdentifier;
> import org.apache.hadoop.hbase.security.token.TokenUtil;
> import org.apache.hadoop.mapred.JobConf;
> import org.apache.hadoop.security.UserGroupInformation;
> import org.apache.hadoop.security.token.Token;
> import org.apache.hadoop.security.token.TokenIdentifier;
> import java.security.PrivilegedAction;
> import java.security.PrivilegedExceptionAction;
> public class Main {
> public static void main(String[] args) throws Exception {
> String user = "harsh";
> UserGroupInformation ugi =
> UserGroupInformation.createProxyUser(user,
> UserGroupInformation.getLoginUser());
> User u = User.create(ugi);
> JobConf conf = new JobConf(HBaseConfiguration.create());
> u.obtainAuthTokenForJob(conf);
> for (Token<? extends TokenIdentifier> token :
> conf.getCredentials().getAllTokens()) {
> System.out.println(token.getKind());
> System.out.println(token.decodeIdentifier().getUser());
> }
> System.out.println();
> final JobConf conf2 = new JobConf(HBaseConfiguration.create());
> Token<AuthenticationTokenIdentifier> token = u.runAs(new
> PrivilegedExceptionAction<Token<AuthenticationTokenIdentifier>>() {
> public Token<AuthenticationTokenIdentifier> run() throws
> Exception {
> return TokenUtil.obtainToken(conf2);
> }
> });
> conf2.getCredentials().addToken(token.getService(), token);
> for (Token<? extends TokenIdentifier> token2 :
> conf2.getCredentials().getAllTokens()) {
> System.out.println(token2.getKind());
> System.out.println(token2.decodeIdentifier().getUser());
> }
> }
> }
> // kinit -kt oozie.keytab oozie/$(hostname -f)
> // javac -cp $(hbase classpath) Main.java
> // java -cp $PWD:$(hbase classpath) Main
> {code}
> This prints:
> {code}
> HBASE_AUTH_TOKEN
> [email protected] (auth:SIMPLE)
> HBASE_AUTH_TOKEN
> harsh (auth:SIMPLE)
> {code}
> The first token is identified as the server user, vs. the required proxied
> user string.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
