[jira] [Commented] (HBASE-17827) Client tools relying on AuthUtil.getAuthChore() break credential cache login

Thu, 23 Mar 2017 12:46:03 -0700 

    [ 
https://issues.apache.org/jira/browse/HBASE-17827?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15939105#comment-15939105
 ] 

Sean Busbey commented on HBASE-17827:
-------------------------------------

counter argument (that I don't think I agree with): AuthUtil.getAuthChore is 
meant for long running applications and as such users shouldn't be deploying 
applications that are based on it using a local kinit that will inevitably fail 
once renewal lifetimes are exceeded.

> Client tools relying on AuthUtil.getAuthChore() break credential cache login
> ----------------------------------------------------------------------------
>
>                 Key: HBASE-17827
>                 URL: https://issues.apache.org/jira/browse/HBASE-17827
>             Project: HBase
>          Issue Type: Bug
>          Components: canary, security
>            Reporter: Gary Helmling
>            Assignee: Gary Helmling
>            Priority: Critical
>
> Client tools, such as Canary, which make use of keytab based logins with 
> AuthUtil.getAuthChore() do not allow any way to continue without a 
> keytab-based login when security is enabled.  Currently, when security is 
> enabled and the configuration lacks {{hbase.client.keytab.file}}, these tools 
> would fail with:
> {noformat}
> ERROR hbase.AuthUtil: Error while trying to perform the initial login: 
> Running in secure mode, but config doesn't have a keytab
> java.io.IOException: Running in secure mode, but config doesn't have a keytab
>         at 
> org.apache.hadoop.security.SecurityUtil.login(SecurityUtil.java:239)
>         at 
> org.apache.hadoop.hbase.security.User$SecureHadoopUser.login(User.java:420)
>         at org.apache.hadoop.hbase.security.User.login(User.java:258)
>         at 
> org.apache.hadoop.hbase.security.UserProvider.login(UserProvider.java:197)
>         at org.apache.hadoop.hbase.AuthUtil.getAuthChore(AuthUtil.java:98)
>         at org.apache.hadoop.hbase.tool.Canary.run(Canary.java:589)
>         at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:70)
>         at org.apache.hadoop.hbase.tool.Canary.main(Canary.java:1327)
> Exception in thread "main" java.io.IOException: Running in secure mode, but 
> config doesn't have a keytab
>         at 
> org.apache.hadoop.security.SecurityUtil.login(SecurityUtil.java:239)
>         at 
> org.apache.hadoop.hbase.security.User$SecureHadoopUser.login(User.java:420)
>         at org.apache.hadoop.hbase.security.User.login(User.java:258)
>         at 
> org.apache.hadoop.hbase.security.UserProvider.login(UserProvider.java:197)
>         at org.apache.hadoop.hbase.AuthUtil.getAuthChore(AuthUtil.java:98)
>         at org.apache.hadoop.hbase.tool.Canary.run(Canary.java:589)
>         at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:70)
>         at org.apache.hadoop.hbase.tool.Canary.main(Canary.java:1327)
> {noformat}
> These tools should still work with the default credential-cache login, at 
> least when a client keytab is not configured.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to