[
https://issues.apache.org/jira/browse/HBASE-29144?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Nihal Jain updated HBASE-29144:
-------------------------------
Description:
After setting up an HBase-3 cluster with Kerberos, I was unable to list tables.
Upon investigation, I found that the following default configuration in HBase-3
does not work as expected:
{noformat}
hbase.client.registry.impl=org.apache.hadoop.hbase.client.ZKConnectionRegistry{noformat}
With HBASE-25051, we now create the configuration in the following manner in
[_ConnectionRegistryRpcStubHolder_|https://github.com/apache/hbase/blob/a5666c085844307e694025ddc7ac710e017b3edf/hbase-client/src/main/java/org/apache/hadoop/hbase/client/ConnectionRegistryRpcStubHolder.java#L80]
{code:java}
if (User.isHBaseSecurityEnabled(conf)) {
this.noAuthConf = new Configuration(conf);
this.noAuthConf.set(User.HBASE_SECURITY_CONF_KEY, "simple");
} else {
this.noAuthConf = conf;
}
{code}
*Reason*
{quote}We implement a new way to get information from a server through
different rpc preamble headers, and use it to get the cluster id before
actually setting up the secure rpc client.
{quote}
*Problem*
We have a method to get a singleton instance via
[_SaslClientAuthenticationProviders#getInstance()_|https://github.com/apache/hbase/blob/a5666c085844307e694025ddc7ac710e017b3edf/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/SaslClientAuthenticationProviders.java#L76]
and hence we end up calling
[{_}BuiltInProviderSelector#configure({_})|https://github.com/apache/hbase/blob/a5666c085844307e694025ddc7ac710e017b3edf/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/BuiltInProviderSelector.java#L60]
with the above {{{}noAuthConf{}}}, thus initializing the variable
_[BuiltInProviderSelector.conf|https://github.com/apache/hbase/blob/a5666c085844307e694025ddc7ac710e017b3edf/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/BuiltInProviderSelector.java#L53]_
with this no-auth config.
Any subsequent calls fail to connect during
[_BuiltInProviderSelector#selectProvider()_|https://github.com/apache/hbase/blob/a5666c085844307e694025ddc7ac710e017b3edf/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/BuiltInProviderSelector.java#L104C1-L107C6]
due to the following configuration check:
{code:java}
// Superfluous: we don't do SIMPLE auth over SASL, but we should to
simplify.
if (!User.isHBaseSecurityEnabled(conf)) {
return new Pair<>(simpleAuth, null);
} {code}
We end up returning a simple auth instance, even thought our cluster is
kerberized.
*Possible Solutions*
# Remove the above check from
[_BuiltInProviderSelector#selectProvider(),_|https://github.com/apache/hbase/blob/a5666c085844307e694025ddc7ac710e017b3edf/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/BuiltInProviderSelector.java#L104C1-L107C6]
if it is unnecessary. (Tried locally works, not sure about side effects, if
any)
# Ensure the singleton instance is re-initialized with the correct
configuration so that it is not set with SIMPLE.
CC: [~zhangduo]
was:
After setting up an HBase-3 cluster with Kerberos, I was unable to list tables.
Upon investigation, I found that the following default configuration in HBase-3
does not work as expected:
{noformat}
hbase.client.registry.impl=org.apache.hadoop.hbase.client.ZKConnectionRegistry{noformat}
With HBASE-25051, we now create the configuration in the following manner in
[_ConnectionRegistryRpcStubHolder_|https://github.com/apache/hbase/blob/a5666c085844307e694025ddc7ac710e017b3edf/hbase-client/src/main/java/org/apache/hadoop/hbase/client/ConnectionRegistryRpcStubHolder.java#L80]
{code:java}
if (User.isHBaseSecurityEnabled(conf)) {
this.noAuthConf = new Configuration(conf);
this.noAuthConf.set(User.HBASE_SECURITY_CONF_KEY, "simple");
} else {
this.noAuthConf = conf;
}
{code}
*Reason*
{quote}We implement a new way to get information from a server through
different rpc preamble headers, and use it to get the cluster id before
actually setting up the secure rpc client.
{quote}
*Problem*
We have a method to get a singleton instance via
[_SaslClientAuthenticationProviders#getInstance()_|https://github.com/apache/hbase/blob/a5666c085844307e694025ddc7ac710e017b3edf/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/SaslClientAuthenticationProviders.java#L76]{{{{}}{}}}
and hence we end up calling
[{_}BuiltInProviderSelector#configure({_})|https://github.com/apache/hbase/blob/a5666c085844307e694025ddc7ac710e017b3edf/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/BuiltInProviderSelector.java#L60]
with the above {{{}noAuthConf{}}}, thus initializing the variable
_[BuiltInProviderSelector.conf|https://github.com/apache/hbase/blob/a5666c085844307e694025ddc7ac710e017b3edf/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/BuiltInProviderSelector.java#L53]_
with this no-auth config.
Any subsequent calls fail to connect during
[_BuiltInProviderSelector#selectProvider()_|https://github.com/apache/hbase/blob/a5666c085844307e694025ddc7ac710e017b3edf/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/BuiltInProviderSelector.java#L104C1-L107C6]
due to the following configuration check:
{code:java}
// Superfluous: we don't do SIMPLE auth over SASL, but we should to
simplify.
if (!User.isHBaseSecurityEnabled(conf)) {
return new Pair<>(simpleAuth, null);
} {code}
We end up returning a simple auth instance.
*Possible Solutions*
# Remove the above check from
[_BuiltInProviderSelector#selectProvider(),_|https://github.com/apache/hbase/blob/a5666c085844307e694025ddc7ac710e017b3edf/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/BuiltInProviderSelector.java#L104C1-L107C6]
if it is unnecessary. (Tried locally works, not sure about side effects, if
any)
# Ensure the singleton instance is re-initialized with the correct
configuration so that it is not set with SIMPLE.
CC: [~zhangduo]
> Client request fails for KERBEROS with rpc based ConnectionRegistry
> -------------------------------------------------------------------
>
> Key: HBASE-29144
> URL: https://issues.apache.org/jira/browse/HBASE-29144
> Project: HBase
> Issue Type: Bug
> Affects Versions: 3.0.0-beta-2, 2.6.2
> Reporter: Nihal Jain
> Priority: Major
>
> After setting up an HBase-3 cluster with Kerberos, I was unable to list
> tables. Upon investigation, I found that the following default configuration
> in HBase-3 does not work as expected:
> {noformat}
> hbase.client.registry.impl=org.apache.hadoop.hbase.client.ZKConnectionRegistry{noformat}
> With HBASE-25051, we now create the configuration in the following manner in
> [_ConnectionRegistryRpcStubHolder_|https://github.com/apache/hbase/blob/a5666c085844307e694025ddc7ac710e017b3edf/hbase-client/src/main/java/org/apache/hadoop/hbase/client/ConnectionRegistryRpcStubHolder.java#L80]
> {code:java}
> if (User.isHBaseSecurityEnabled(conf)) {
> this.noAuthConf = new Configuration(conf);
> this.noAuthConf.set(User.HBASE_SECURITY_CONF_KEY, "simple");
> } else {
> this.noAuthConf = conf;
> }
> {code}
> *Reason*
> {quote}We implement a new way to get information from a server through
> different rpc preamble headers, and use it to get the cluster id before
> actually setting up the secure rpc client.
> {quote}
> *Problem*
> We have a method to get a singleton instance via
> [_SaslClientAuthenticationProviders#getInstance()_|https://github.com/apache/hbase/blob/a5666c085844307e694025ddc7ac710e017b3edf/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/SaslClientAuthenticationProviders.java#L76]
> and hence we end up calling
> [{_}BuiltInProviderSelector#configure({_})|https://github.com/apache/hbase/blob/a5666c085844307e694025ddc7ac710e017b3edf/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/BuiltInProviderSelector.java#L60]
> with the above {{{}noAuthConf{}}}, thus initializing the variable
> _[BuiltInProviderSelector.conf|https://github.com/apache/hbase/blob/a5666c085844307e694025ddc7ac710e017b3edf/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/BuiltInProviderSelector.java#L53]_
> with this no-auth config.
> Any subsequent calls fail to connect during
> [_BuiltInProviderSelector#selectProvider()_|https://github.com/apache/hbase/blob/a5666c085844307e694025ddc7ac710e017b3edf/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/BuiltInProviderSelector.java#L104C1-L107C6]
> due to the following configuration check:
> {code:java}
> // Superfluous: we don't do SIMPLE auth over SASL, but we should to
> simplify.
> if (!User.isHBaseSecurityEnabled(conf)) {
> return new Pair<>(simpleAuth, null);
> } {code}
> We end up returning a simple auth instance, even thought our cluster is
> kerberized.
> *Possible Solutions*
> # Remove the above check from
> [_BuiltInProviderSelector#selectProvider(),_|https://github.com/apache/hbase/blob/a5666c085844307e694025ddc7ac710e017b3edf/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/BuiltInProviderSelector.java#L104C1-L107C6]
> if it is unnecessary. (Tried locally works, not sure about side effects, if
> any)
> # Ensure the singleton instance is re-initialized with the correct
> configuration so that it is not set with SIMPLE.
> CC: [~zhangduo]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
