[
https://issues.apache.org/jira/browse/HBASE-1697?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13280832#comment-13280832
]
Laxman commented on HBASE-1697:
-------------------------------
Thanks for the info Andrew. I'm discussing this issue with Eugene.
(ZOOKEEPER-1467)
We got struck with another problem in HBase client authentication.
Client is not able to establish connection with HBase server successfully.
Exception we got here:
{noformat}
2012-05-22 09:42:22,627 WARN org.apache.hadoop.ipc.SecureClient: Exception
encountered while connecting to the server : javax.security.sasl.SaslException:
GSS initiate failed [Caused by GSSException: No valid credentials provided
(Mechanism level: Failed to find any Kerberos tgt)]
2012-05-22 09:42:22,627 ERROR org.apache.hadoop.security.UserGroupInformation:
PriviledgedActionException as:testuser (auth:KERBEROS)
cause:java.io.IOException: javax.security.sasl.SaslException: GSS initiate
failed [Caused by GSSException: No valid credentials provided (Mechanism level:
Failed to find any Kerberos tgt)]
2012-05-22 09:42:22,630 DEBUG org.apache.hadoop.ipc.SecureClient: closing ipc
connection to HOST-10-18-40-19/10.18.40.19:60020:
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException:
No valid credentials provided (Mechanism level: Failed to find any Kerberos
tgt)]
java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed
[Caused by GSSException: No valid credentials provided (Mechanism level: Failed
to find any Kerberos tgt)]
at
org.apache.hadoop.hbase.ipc.SecureClient$SecureConnection$1.run(SecureClient.java:227)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:396)
at
org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1177)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.hadoop.hbase.util.Methods.call(Methods.java:37)
at org.apache.hadoop.hbase.security.User.call(User.java:586)
at org.apache.hadoop.hbase.security.User.access$700(User.java:50)
at
org.apache.hadoop.hbase.security.User$SecureHadoopUser.runAs(User.java:440)
at
org.apache.hadoop.hbase.ipc.SecureClient$SecureConnection.handleSaslConnectionFailure(SecureClient.java:194)
at
org.apache.hadoop.hbase.ipc.SecureClient$SecureConnection.setupIOstreams(SecureClient.java:274)
at
org.apache.hadoop.hbase.ipc.SecureClient.getConnection(SecureClient.java:485)
at
org.apache.hadoop.hbase.ipc.SecureClient.getConnection(SecureClient.java:69)
at org.apache.hadoop.hbase.ipc.HBaseClient.call(HBaseClient.java:897)
at
org.apache.hadoop.hbase.ipc.SecureRpcEngine$Invoker.invoke(SecureRpcEngine.java:164)
at $Proxy6.getProtocolVersion(Unknown Source)
at
org.apache.hadoop.hbase.ipc.SecureRpcEngine.getProxy(SecureRpcEngine.java:208)
at org.apache.hadoop.hbase.ipc.HBaseRPC.getProxy(HBaseRPC.java:303)
at org.apache.hadoop.hbase.ipc.HBaseRPC.getProxy(HBaseRPC.java:280)
at org.apache.hadoop.hbase.ipc.HBaseRPC.getProxy(HBaseRPC.java:332)
at org.apache.hadoop.hbase.ipc.HBaseRPC.waitForProxy(HBaseRPC.java:236)
at
org.apache.hadoop.hbase.client.HConnectionManager$HConnectionImplementation.getHRegionConnection(HConnectionManager.java:1284)
at
org.apache.hadoop.hbase.client.HConnectionManager$HConnectionImplementation.getHRegionConnection(HConnectionManager.java:1240)
at
org.apache.hadoop.hbase.client.HConnectionManager$HConnectionImplementation.getHRegionConnection(HConnectionManager.java:1227)
at
org.apache.hadoop.hbase.client.HConnectionManager$HConnectionImplementation.locateRegionInMeta(HConnectionManager.java:936)
at
org.apache.hadoop.hbase.client.HConnectionManager$HConnectionImplementation.locateRegion(HConnectionManager.java:832)
at
org.apache.hadoop.hbase.client.HConnectionManager$HConnectionImplementation.locateRegion(HConnectionManager.java:801)
at
org.apache.hadoop.hbase.client.HConnectionManager$HConnectionImplementation.locateRegionInMeta(HConnectionManager.java:933)
at
org.apache.hadoop.hbase.client.HConnectionManager$HConnectionImplementation.locateRegion(HConnectionManager.java:836)
at
org.apache.hadoop.hbase.client.HConnectionManager$HConnectionImplementation.locateRegion(HConnectionManager.java:801)
at org.apache.hadoop.hbase.client.HTable.finishSetup(HTable.java:234)
at org.apache.hadoop.hbase.client.HTable.<init>(HTable.java:174)
at org.apache.hadoop.hbase.client.HTable.<init>(HTable.java:133)
at hbase.test.Hbasetest.main(Hbasetest.java:37)
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by
GSSException: No valid credentials provided (Mechanism level: Failed to find
any Kerberos tgt)]
at
com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:194)
at
org.apache.hadoop.hbase.security.HBaseSaslRpcClient.saslConnect(HBaseSaslRpcClient.java:138)
at
org.apache.hadoop.hbase.ipc.SecureClient$SecureConnection.setupSaslConnection(SecureClient.java:176)
at
org.apache.hadoop.hbase.ipc.SecureClient$SecureConnection.access$500(SecureClient.java:84)
at
org.apache.hadoop.hbase.ipc.SecureClient$SecureConnection$2.run(SecureClient.java:267)
at
org.apache.hadoop.hbase.ipc.SecureClient$SecureConnection$2.run(SecureClient.java:264)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:396)
at
org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1177)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.hadoop.hbase.util.Methods.call(Methods.java:37)
at org.apache.hadoop.hbase.security.User.call(User.java:586)
at org.apache.hadoop.hbase.security.User.access$700(User.java:50)
at
org.apache.hadoop.hbase.security.User$SecureHadoopUser.runAs(User.java:440)
at
org.apache.hadoop.hbase.ipc.SecureClient$SecureConnection.setupIOstreams(SecureClient.java:263)
... 23 more
Caused by: GSSException: No valid credentials provided (Mechanism level: Failed
to find any Kerberos tgt)
at
sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:130)
at
sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:106)
at
sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:172)
at
sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:209)
at
sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:195)
at
sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
at
com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:175)
... 40 more
2012-05-22 09:42:22,636 DEBUG org.apache.hadoop.ipc.SecureClient: IPC Client
(1778276127) connection to HOST-10-18-40-19/10.18.40.19:60020 from testuser:
closed
2012-05-22 09:42:22,638 DEBUG
org.apache.hadoop.hbase.client.HConnectionManager$HConnectionImplementation:
locateRegionInMeta parentTable=-ROOT-, metaLocation={region=-ROOT-,,0.70236052,
hostname=HOST-10-18-40-19, port=60020}, attempt=0 of 120 failed; retrying after
sleep of 1000 because: javax.security.sasl.SaslException: GSS initiate failed
[Caused by GSSException: No valid credentials provided (Mechanism level: Failed
to find any Kerberos tgt)]
2012-05-22 09:42:22,640 DEBUG
org.apache.hadoop.hbase.client.HConnectionManager$HConnectionImplementation:
Looked up root region location,
connection=org.apache.hadoop.hbase.client.HConnectionManager$HConnectionImplementation@6ecf829d;
serverName=HOST-10-18-40-19,60020,1337574445438
2012-05-22 09:42:23,641 DEBUG
org.apache.hadoop.hbase.client.HConnectionManager$HConnectionImplementation:
Looked up root region location,
connection=org.apache.hadoop.hbase.client.HConnectionManager$HConnectionImplementation@6ecf829d;
serverName=HOST-10-18-40-19,60020,1337574445438
2012-05-22 09:42:23,642 DEBUG org.apache.hadoop.ipc.SecureClient: RPC Server
Kerberos principal name for
protocol=org.apache.hadoop.hbase.ipc.HRegionInterface is hbase/had...@hadoop.com
{noformat}
Other details:
HBase version: 0.94.0
Hadoop version: 0.23.1
Kerberos version: 1.10.1
Java version: 1.6.0_31, 64 bit
Linux version: SuSE 11.1 [Kernel version : 2.6.32.12-0.7-default x86_64
GNU/Linux]
We had gone thru the solutions available @
http://docs.oracle.com/javase/1.5.0/docs/guide/security/jgss/tutorials/Troubleshooting.html
https://ccp.cloudera.com/display/CDHDOC/Appendix+A+-+Troubleshooting#AppendixA-Troubleshooting-Problem2%3AJavaisunabletoreadtheKerberoscredentialscachecreatedbyversionsofMITKerberos1.8.1orhigher.
But none of then seems to work. Any clues?
> Discretionary access control
> ----------------------------
>
> Key: HBASE-1697
> URL: https://issues.apache.org/jira/browse/HBASE-1697
> Project: HBase
> Issue Type: Improvement
> Components: security
> Reporter: Andrew Purtell
> Assignee: Andrew Purtell
>
> Consider implementing discretionary access control for HBase.
> Access control has three aspects: authentication, authorization and audit.
> - Authentication: Access is controlled by insisting on an authentication
> procedure to establish the identity of the user. The authentication procedure
> should minimally require a non-plaintext authentication factor (e.g.
> encrypted password with salt) and should ideally or at least optionally
> provide cryptographically strong confidence via public key certification.
> - Authorization: Access is controlled by specifying rights to resources via
> an access control list (ACL). An ACL is a list of permissions attached to an
> object. The list specifies who or what is allowed to access the object and
> what operations are allowed to be performed on the object, f.e. create,
> update, read, or delete.
> - Audit: Important actions taken by subjects should be logged for
> accountability, a chronological record which enables the full reconstruction
> and examination of a sequence of events, e.g. schema changes or data
> mutations. Logging activity should be protected from all subjects except for
> a restricted set with administrative privilege, perhaps to only a single
> super-user.
> Discretionary access control means the access policy for an object is
> determined by the owner of the object. Every object in the system must have a
> valid owner. Owners can assign access rights and permissions to other users.
> The initial owner of an object is the subject who created it. If subjects are
> deleted from a system, ownership of objects owned by them should revert to
> some super-user or otherwise valid default.
> HBase can enforce access policy at table, column family, or cell granularity.
> Cell granularity does not make much sense. An implementation which controls
> access at both the table and column family levels is recommended, though a
> first cut could consider control at the table level only. The initial set of
> permissions can be: Create (table schema or column family), update (table
> schema or column family), read (column family), delete (table or column
> family), execute (filters), and transfer ownership. The subject identities
> and access tokens could be stored in a new administrative table. ACLs on
> tables and column families can be stored in META.
> Access other than read access to catalog and administrative tables should be
> restricted to a set of administrative users or perhaps a single super-user. A
> data mutation on a user table by a subject without administrative or
> superuser privilege which results in a table split is an implicit temporary
> privilege elevation where the regionserver or master updates the catalog
> tables as necessary to support the split.
> Audit logging should be configurable on a per-table basis to avoid this
> overhead where it is not wanted.
> Consider supporting external authentication and subject identification
> mechanisms with Java library support: RADIUS/TACACS, Kerberos, LDAP.
> Consider logging audit trails to an HBase table (bigtable type schemas are
> natural for this) and optionally external logging options with Java library
> support -- syslog, etc., or maybe commons-logging is sufficient and punt to
> administrator to set up appropriate commons-logging/log4j configurations for
> their needs.
> If HBASE-1002 is considered, and the option to support filtering via upload
> of (perhaps complex) bytecode produced by some little language compiler is
> implemented, the execute privilege could be extended in a manner similar to
> how stored procedures in SQL land execute either with the privilege of the
> current user or the (table/procedure) creator.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
