[ https://issues.apache.org/jira/browse/OOZIE-2419?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
abhishek bafna updated OOZIE-2419: ---------------------------------- Fix Version/s: (was: trunk) 4.3.0 > HBase credentials are not correctly proxied > ------------------------------------------- > > Key: OOZIE-2419 > URL: https://issues.apache.org/jira/browse/OOZIE-2419 > Project: Oozie > Issue Type: Bug > Affects Versions: 4.2.0 > Reporter: Harsh J > Assignee: Harsh J > Fix For: 4.3.0 > > Attachments: OOZIE-2419.001.patch, OOZIE-2419.002.patch > > > The method we are using for obtaining tokens from HBase in > HbaseCredentials.java does not appear to be proxying correctly. It obtains a > token for the Oozie server user instead of the proxied user, causing a > problem inside workflow actions that reference it. > Here's a demonstration (the first method is how Oozie does it today, and the > second method is a more manual one which works correctly instead): > {code} > import org.apache.hadoop.hbase.HBaseConfiguration; > import org.apache.hadoop.hbase.security.User; > import org.apache.hadoop.hbase.security.token.AuthenticationTokenIdentifier; > import org.apache.hadoop.hbase.security.token.TokenUtil; > import org.apache.hadoop.mapred.JobConf; > import org.apache.hadoop.security.UserGroupInformation; > import org.apache.hadoop.security.token.Token; > import org.apache.hadoop.security.token.TokenIdentifier; > import java.security.PrivilegedAction; > import java.security.PrivilegedExceptionAction; > public class Main { > public static void main(String[] args) throws Exception { > String user = "harsh"; > UserGroupInformation ugi = > UserGroupInformation.createProxyUser(user, > UserGroupInformation.getLoginUser()); > User u = User.create(ugi); > JobConf conf = new JobConf(HBaseConfiguration.create()); > u.obtainAuthTokenForJob(conf); > for (Token<? extends TokenIdentifier> token : > conf.getCredentials().getAllTokens()) { > System.out.println(token.getKind()); > System.out.println(token.decodeIdentifier().getUser()); > } > System.out.println(); > final JobConf conf2 = new JobConf(HBaseConfiguration.create()); > Token<AuthenticationTokenIdentifier> token = u.runAs(new > PrivilegedExceptionAction<Token<AuthenticationTokenIdentifier>>() { > public Token<AuthenticationTokenIdentifier> run() throws > Exception { > return TokenUtil.obtainToken(conf2); > } > }); > conf2.getCredentials().addToken(token.getService(), token); > for (Token<? extends TokenIdentifier> token2 : > conf2.getCredentials().getAllTokens()) { > System.out.println(token2.getKind()); > System.out.println(token2.decodeIdentifier().getUser()); > } > } > } > // kinit -kt oozie.keytab oozie/$(hostname -f) > // javac -cp $(hbase classpath) Main.java > // java -cp $PWD:$(hbase classpath) Main > {code} > This prints: > {code} > HBASE_AUTH_TOKEN > oo...@example.com (auth:SIMPLE) > HBASE_AUTH_TOKEN > harsh (auth:SIMPLE) > {code} > The first token is identified as the server user, vs. the required proxied > user string. -- This message was sent by Atlassian JIRA (v6.3.4#6332)