[jira] [Updated] (OOZIE-2419) HBase credentials are not correctly proxied

Wed, 03 Aug 2016 00:13:44 -0700 

     [ 
https://issues.apache.org/jira/browse/OOZIE-2419?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

abhishek bafna updated OOZIE-2419:
----------------------------------
    Fix Version/s:     (was: trunk)
                   4.3.0

> HBase credentials are not correctly proxied
> -------------------------------------------
>
>                 Key: OOZIE-2419
>                 URL: https://issues.apache.org/jira/browse/OOZIE-2419
>             Project: Oozie
>          Issue Type: Bug
>    Affects Versions: 4.2.0
>            Reporter: Harsh J
>            Assignee: Harsh J
>             Fix For: 4.3.0
>
>         Attachments: OOZIE-2419.001.patch, OOZIE-2419.002.patch
>
>
> The method we are using for obtaining tokens from HBase in 
> HbaseCredentials.java does not appear to be proxying correctly. It obtains a 
> token for the Oozie server user instead of the proxied user, causing a 
> problem inside workflow actions that reference it.
> Here's a demonstration (the first method is how Oozie does it today, and the 
> second method is a more manual one which works correctly instead):
> {code}
> import org.apache.hadoop.hbase.HBaseConfiguration;
> import org.apache.hadoop.hbase.security.User;
> import org.apache.hadoop.hbase.security.token.AuthenticationTokenIdentifier;
> import org.apache.hadoop.hbase.security.token.TokenUtil;
> import org.apache.hadoop.mapred.JobConf;
> import org.apache.hadoop.security.UserGroupInformation;
> import org.apache.hadoop.security.token.Token;
> import org.apache.hadoop.security.token.TokenIdentifier;
> import java.security.PrivilegedAction;
> import java.security.PrivilegedExceptionAction;
> public class Main {
>     public static void main(String[] args) throws Exception {
>         String user = "harsh";
>         UserGroupInformation ugi =  
> UserGroupInformation.createProxyUser(user, 
> UserGroupInformation.getLoginUser());
>         User u = User.create(ugi);
>         JobConf conf = new JobConf(HBaseConfiguration.create());
>         u.obtainAuthTokenForJob(conf);
>         for (Token<? extends TokenIdentifier> token : 
> conf.getCredentials().getAllTokens()) {
>             System.out.println(token.getKind());
>             System.out.println(token.decodeIdentifier().getUser());
>         }
>         System.out.println();
>         final JobConf conf2 = new JobConf(HBaseConfiguration.create());
>         Token<AuthenticationTokenIdentifier> token = u.runAs(new 
> PrivilegedExceptionAction<Token<AuthenticationTokenIdentifier>>() {
>             public Token<AuthenticationTokenIdentifier> run() throws 
> Exception {
>                 return TokenUtil.obtainToken(conf2);
>             }
>         });
>         conf2.getCredentials().addToken(token.getService(), token);
>         for (Token<? extends TokenIdentifier> token2 : 
> conf2.getCredentials().getAllTokens()) {
>             System.out.println(token2.getKind());
>             System.out.println(token2.decodeIdentifier().getUser());
>         }
>     }
> }
> // kinit -kt oozie.keytab oozie/$(hostname -f)
> // javac -cp $(hbase classpath) Main.java
> // java -cp $PWD:$(hbase classpath) Main
> {code}
> This prints:
> {code}
> HBASE_AUTH_TOKEN
> oo...@example.com (auth:SIMPLE)
> HBASE_AUTH_TOKEN
> harsh (auth:SIMPLE)
> {code}
> The first token is identified as the server user, vs. the required proxied 
> user string.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to