[
https://issues.apache.org/jira/browse/OOZIE-2419?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Harsh J updated OOZIE-2419:
---------------------------
Attachment: OOZIE-2419.002.patch
This new patch should compile fine.
I rechecked and we default our pom.xml to 0.94.2 and 0.94.2 source trees do
have the token package/classes. However, it was not until later that the HBase
project actually put a -Psecurity based build up in maven, so those packages
are missing in 0.94.2 jars. I've kept the 0.94 as is but have switched the dot
release to 0.94.27, which is the latest available. This maven jar version has
the packages we need for this change, as its properly built with the security
profile by the HBase folks.
> HBase credentials are not correctly proxied
> -------------------------------------------
>
> Key: OOZIE-2419
> URL: https://issues.apache.org/jira/browse/OOZIE-2419
> Project: Oozie
> Issue Type: Bug
> Affects Versions: 4.2.0
> Reporter: Harsh J
> Assignee: Harsh J
> Attachments: OOZIE-2419.001.patch, OOZIE-2419.002.patch
>
>
> The method we are using for obtaining tokens from HBase in
> HbaseCredentials.java does not appear to be proxying correctly. It obtains a
> token for the Oozie server user instead of the proxied user, causing a
> problem inside workflow actions that reference it.
> Here's a demonstration (the first method is how Oozie does it today, and the
> second method is a more manual one which works correctly instead):
> {code}
> import org.apache.hadoop.hbase.HBaseConfiguration;
> import org.apache.hadoop.hbase.security.User;
> import org.apache.hadoop.hbase.security.token.AuthenticationTokenIdentifier;
> import org.apache.hadoop.hbase.security.token.TokenUtil;
> import org.apache.hadoop.mapred.JobConf;
> import org.apache.hadoop.security.UserGroupInformation;
> import org.apache.hadoop.security.token.Token;
> import org.apache.hadoop.security.token.TokenIdentifier;
> import java.security.PrivilegedAction;
> import java.security.PrivilegedExceptionAction;
> public class Main {
> public static void main(String[] args) throws Exception {
> String user = "harsh";
> UserGroupInformation ugi =
> UserGroupInformation.createProxyUser(user,
> UserGroupInformation.getLoginUser());
> User u = User.create(ugi);
> JobConf conf = new JobConf(HBaseConfiguration.create());
> u.obtainAuthTokenForJob(conf);
> for (Token<? extends TokenIdentifier> token :
> conf.getCredentials().getAllTokens()) {
> System.out.println(token.getKind());
> System.out.println(token.decodeIdentifier().getUser());
> }
> System.out.println();
> final JobConf conf2 = new JobConf(HBaseConfiguration.create());
> Token<AuthenticationTokenIdentifier> token = u.runAs(new
> PrivilegedExceptionAction<Token<AuthenticationTokenIdentifier>>() {
> public Token<AuthenticationTokenIdentifier> run() throws
> Exception {
> return TokenUtil.obtainToken(conf2);
> }
> });
> conf2.getCredentials().addToken(token.getService(), token);
> for (Token<? extends TokenIdentifier> token2 :
> conf2.getCredentials().getAllTokens()) {
> System.out.println(token2.getKind());
> System.out.println(token2.decodeIdentifier().getUser());
> }
> }
> }
> // kinit -kt oozie.keytab oozie/$(hostname -f)
> // javac -cp $(hbase classpath) Main.java
> // java -cp $PWD:$(hbase classpath) Main
> {code}
> This prints:
> {code}
> HBASE_AUTH_TOKEN
> oo...@example.com (auth:SIMPLE)
> HBASE_AUTH_TOKEN
> harsh (auth:SIMPLE)
> {code}
> The first token is identified as the server user, vs. the required proxied
> user string.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
