[ https://issues.apache.org/jira/browse/HBASE-2418?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13154088#comment-13154088 ]
Mikhail Bautin commented on HBASE-2418: --------------------------------------- I just saw this regionserver crash in my five-node, three-RS cluster test. Since this is a ZK-related patch that went in recently, I am attaching the stack trace here just in case. 2011-11-21 01:30:15,188 FATAL org.apache.hadoop.hbase.regionserver.HRegionServer: ABORTING region server <machine_name>,60020,1321867814890: Initialization of RS failed. Hence aborting RS. java.util.ConcurrentModificationException at java.util.Hashtable$Enumerator.next(Hashtable.java:1031) at org.apache.hadoop.conf.Configuration.iterator(Configuration.java:1042) at org.apache.hadoop.hbase.zookeeper.ZKConfig.makeZKProps(ZKConfig.java:75) at org.apache.hadoop.hbase.zookeeper.ZKConfig.getZKQuorumServersString(ZKConfig.java:245) at org.apache.hadoop.hbase.zookeeper.ZooKeeperWatcher.<init>(ZooKeeperWatcher.java:144) at org.apache.hadoop.hbase.zookeeper.ZooKeeperWatcher.<init>(ZooKeeperWatcher.java:124) at org.apache.hadoop.hbase.client.HConnectionManager$HConnectionImplementation.getZooKeeperWatcher(HConnectionManager.java:1262) at org.apache.hadoop.hbase.client.HConnectionManager$HConnectionImplementation.setupZookeeperTrackers(HConnectionManager.java:568) at org.apache.hadoop.hbase.client.HConnectionManager$HConnectionImplementation.<init>(HConnectionManager.java:559) at org.apache.hadoop.hbase.client.HConnectionManager.getConnection(HConnectionManager.java:183) at org.apache.hadoop.hbase.catalog.CatalogTracker.<init>(CatalogTracker.java:177) at org.apache.hadoop.hbase.regionserver.HRegionServer.initializeZooKeeper(HRegionServer.java:575) at org.apache.hadoop.hbase.regionserver.HRegionServer.preRegistrationInitialization(HRegionServer.java:534) at org.apache.hadoop.hbase.regionserver.HRegionServer.run(HRegionServer.java:642) at java.lang.Thread.run(Thread.java:619) > add support for ZooKeeper authentication > ---------------------------------------- > > Key: HBASE-2418 > URL: https://issues.apache.org/jira/browse/HBASE-2418 > Project: HBase > Issue Type: Improvement > Components: master, regionserver > Reporter: Patrick Hunt > Assignee: Eugene Koontz > Priority: Critical > Labels: security, zookeeper > Fix For: 0.92.0, 0.94.0 > > Attachments: 2418.addendum, HBASE-2418-6.patch, HBASE-2418-6.patch > > > Some users may run a ZooKeeper cluster in "multi tenant mode" meaning that > more than one client service would > like to share a single ZooKeeper service instance (cluster). In this case the > client services typically want to protect > their data (ZK znodes) from access by other services (tenants) on the > cluster. Say you are running HBase and Solr > and Neo4j, or multiple HBase instances, etc... having > authentication/authorization on the znodes is important for both > security and helping to ensure that services don't interact negatively (touch > each other's data). > Today HBase does not have support for authentication or authorization. This > should be added to the HBase clients > that are accessing the ZK cluster. In general it means calling addAuthInfo > once after a session is established: > http://hadoop.apache.org/zookeeper/docs/current/api/org/apache/zookeeper/ZooKeeper.html#addAuthInfo(java.lang.String, > byte[]) > with a user specific credential, often times this is a shared secret or > certificate. You may be able to statically configure this > in some cases (config string or file to read from), however in my case in > particular you may need to access it programmatically, > which adds complexity as the end user may need to load code into HBase for > accessing the credential. > Secondly you need to specify a non "world" ACL when interacting with znodes > (create primarily): > http://hadoop.apache.org/zookeeper/docs/current/api/org/apache/zookeeper/data/ACL.html > http://hadoop.apache.org/zookeeper/docs/current/api/org/apache/zookeeper/ZooDefs.html > Feel free to ping the ZooKeeper team if you have questions. It might also be > good to discuss with some > potential end users - in particular regarding how the end user can specify > the credential. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira