[
https://issues.apache.org/jira/browse/HBASE-29144?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17929660#comment-17929660
]
Nihal Jain commented on HBASE-29144:
------------------------------------
The issue exists for branch-2 as well, we can simple try following to verify on
a secure (kerberized) env:
{code:java}
hbase shell
-Dhbase.client.registry.impl=org.apache.hadoop.hbase.client.RpcConnectionRegistry
{code}
It would fail with following:
{code:java}
hbase:003:0> list
TABLE
2025-02-21 07:01:19,510 WARN [RPCClient-NioEventLoopGroup-1-3]
ipc.NettyRpcConnection: Exception encountered while connecting to the server
HOSTNAME:16000
org.apache.hbase.thirdparty.io.netty.channel.AbstractChannel$AnnotatedConnectException:
Connection refused: HOSTNAME/IP_ADDRESS:16000
Caused by: java.net.ConnectException: Connection refused
at java.base/sun.nio.ch.Net.pollConnect(Native Method)
at java.base/sun.nio.ch.Net.pollConnectNow(Net.java:672)
at
java.base/sun.nio.ch.SocketChannelImpl.finishConnect(SocketChannelImpl.java:946)
at
org.apache.hbase.thirdparty.io.netty.channel.socket.nio.NioSocketChannel.doFinishConnect(NioSocketChannel.java:337)
at
org.apache.hbase.thirdparty.io.netty.channel.nio.AbstractNioChannel$AbstractNioUnsafe.finishConnect(AbstractNioChannel.java:339)
at
org.apache.hbase.thirdparty.io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:776)
at
org.apache.hbase.thirdparty.io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:724)
at
org.apache.hbase.thirdparty.io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:650)
at
org.apache.hbase.thirdparty.io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562)
at
org.apache.hbase.thirdparty.io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997)
at
org.apache.hbase.thirdparty.io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
at
org.apache.hbase.thirdparty.io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.base/java.lang.Thread.run(Thread.java:840)
ERROR: Connection refused
For usage try 'help "list"' {code}
> Client request fails for KERBEROS with rpc based ConnectionRegistry
> -------------------------------------------------------------------
>
> Key: HBASE-29144
> URL: https://issues.apache.org/jira/browse/HBASE-29144
> Project: HBase
> Issue Type: Bug
> Affects Versions: 3.0.0-beta-2, 2.6.2
> Reporter: Nihal Jain
> Priority: Major
>
> After setting up an HBase-3 cluster with Kerberos, I was unable to list
> tables. Upon investigation, I found that the following default configuration
> in HBase-3 does not work as expected:
> {noformat}
> hbase.client.registry.impl=org.apache.hadoop.hbase.client.ZKConnectionRegistry{noformat}
> With HBASE-25051, we now create the configuration in the following manner in
> [_ConnectionRegistryRpcStubHolder_|https://github.com/apache/hbase/blob/a5666c085844307e694025ddc7ac710e017b3edf/hbase-client/src/main/java/org/apache/hadoop/hbase/client/ConnectionRegistryRpcStubHolder.java#L80]
> {code:java}
> if (User.isHBaseSecurityEnabled(conf)) {
> this.noAuthConf = new Configuration(conf);
> this.noAuthConf.set(User.HBASE_SECURITY_CONF_KEY, "simple");
> } else {
> this.noAuthConf = conf;
> }
> {code}
> *Reason*
> {quote}We implement a new way to get information from a server through
> different rpc preamble headers, and use it to get the cluster id before
> actually setting up the secure rpc client.
> {quote}
> *Problem*
> We have a method to get a singleton instance via
> [_SaslClientAuthenticationProviders#getInstance()_|https://github.com/apache/hbase/blob/a5666c085844307e694025ddc7ac710e017b3edf/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/SaslClientAuthenticationProviders.java#L76]
> and hence we end up calling
> [{_}BuiltInProviderSelector#configure({_})|https://github.com/apache/hbase/blob/a5666c085844307e694025ddc7ac710e017b3edf/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/BuiltInProviderSelector.java#L60]
> with the above {{{}noAuthConf{}}}, thus initializing the variable
> _[BuiltInProviderSelector.conf|https://github.com/apache/hbase/blob/a5666c085844307e694025ddc7ac710e017b3edf/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/BuiltInProviderSelector.java#L53]_
> with this no-auth config.
> Any subsequent calls fail to connect during
> [_BuiltInProviderSelector#selectProvider()_|https://github.com/apache/hbase/blob/a5666c085844307e694025ddc7ac710e017b3edf/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/BuiltInProviderSelector.java#L104C1-L107C6]
> due to the following configuration check:
> {code:java}
> // Superfluous: we don't do SIMPLE auth over SASL, but we should to
> simplify.
> if (!User.isHBaseSecurityEnabled(conf)) {
> return new Pair<>(simpleAuth, null);
> } {code}
> We end up returning a simple auth instance, even thought our cluster is
> kerberized.
> *Possible Solutions*
> # Remove the above check from
> [_BuiltInProviderSelector#selectProvider(),_|https://github.com/apache/hbase/blob/a5666c085844307e694025ddc7ac710e017b3edf/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/BuiltInProviderSelector.java#L104C1-L107C6]
> if it is unnecessary. (Tried locally works, not sure about side effects, if
> any)
> # Ensure the singleton instance is re-initialized with the correct
> configuration so that it is not set with SIMPLE.
> CC: [~zhangduo]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
