[ https://issues.apache.org/jira/browse/HBASE-15622?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Matteo Bertozzi updated HBASE-15622: ------------------------------------ Attachment: HBASE-15622-v0.patch Attached v0, which simply moves SuperUsers.initialize() down. I have tried that on the cluster with the setup described above and seems to work. without any other consequences. > Superusers does not consider the keytab credentials > --------------------------------------------------- > > Key: HBASE-15622 > URL: https://issues.apache.org/jira/browse/HBASE-15622 > Project: HBase > Issue Type: Bug > Components: security > Affects Versions: 2.0.0, 1.2.0, 1.3.0, 1.1.4, 0.98.16.1 > Reporter: Matteo Bertozzi > Priority: Critical > Fix For: 2.0.0, 1.3.0, 0.98.19, 1.1.5, 1.2.2 > > Attachments: HBASE-15622-v0.patch > > > After HBASE-13755 the superuser we add by default (the process running hbase) > does not take in consideration the keytab credential. > We have an env with the process user being hbase and the keytab being > hbasefoo. > from Superusers TRACE I see, the hbase being picked up > {noformat} > TRACE Superusers: Current user name is hbase > {noformat} > from the RS audit I see the hbasefoo making requests > {noformat} > "allowed":true,"serviceName":"HBASE-1","username":"hbasefoo... > {noformat} > looking at the code in HRegionServer we do > {code} > public HRegionServer(Configuration conf, CoordinatedStateManager csm) > throws IOException { > ... > this.userProvider = UserProvider.instantiate(conf); > Superusers.initialize(conf); > .. > // login the server principal (if using secure Hadoop) > login(userProvider, hostName); > .. > {code} > Before HBASE-13755 we were initializing the super user in the ACL > coprocessor, so after the login. but now we do that before the login. > I'm not sure if we can just move the Superuser.initialize() after the login > [~mantonov]? -- This message was sent by Atlassian JIRA (v6.3.4#6332)