[
https://issues.apache.org/jira/browse/ACCUMULO-3568?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Josh Elser updated ACCUMULO-3568:
---------------------------------
Description:
The server-side impl for {{TableOperationsImpl.getDiskUsage}} pulls the
credentials from the RPC and makes a {{Connector}} from them instead of using
its own credentials. With Kerberos enabled, this results in the server
"accumulo/hostname@REALM" trying to act as "user@REALM" which (correctly) fails.
The getDiskUsage implementation should use its own Connector (using the
SystemToken from the ServerContext), perform the correct security checks for
permissions and act on behalf of the user instead of trying to *be* the user.
was:{{TableOperationsImpl.getDiskUsage}} uses the {{ServerClient}} class
which is meant for Accumulo services to use to communicate with each other.
This results in the authentication performed for this method being performed
(incorrectly) as the system instead of the client.
> getDiskUsage server implementation recreates Connector from user credentials
> ----------------------------------------------------------------------------
>
> Key: ACCUMULO-3568
> URL: https://issues.apache.org/jira/browse/ACCUMULO-3568
> Project: Accumulo
> Issue Type: Bug
> Components: shell
> Environment: kerberos
> Reporter: Josh Elser
> Assignee: Josh Elser
> Priority: Critical
> Fix For: 1.7.0
>
>
> The server-side impl for {{TableOperationsImpl.getDiskUsage}} pulls the
> credentials from the RPC and makes a {{Connector}} from them instead of using
> its own credentials. With Kerberos enabled, this results in the server
> "accumulo/hostname@REALM" trying to act as "user@REALM" which (correctly)
> fails.
> The getDiskUsage implementation should use its own Connector (using the
> SystemToken from the ServerContext), perform the correct security checks for
> permissions and act on behalf of the user instead of trying to *be* the user.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
