[jira] [Commented] (HBASE-9866) Support the mode where REST server authorizes proxy users
[ https://issues.apache.org/jira/browse/HBASE-9866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13852758#comment-13852758 ] Hadoop QA commented on HBASE-9866: -- {color:red}-1 overall{color}. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12619504/9866-4.txt against trunk revision . ATTACHMENT ID: 12619504 {color:green}+1 @author{color}. The patch does not contain any @author tags. {color:red}-1 tests included{color}. The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. {color:green}+1 hadoop1.0{color}. The patch compiles against the hadoop 1.0 profile. {color:green}+1 hadoop1.1{color}. The patch compiles against the hadoop 1.1 profile. {color:green}+1 javadoc{color}. The javadoc tool did not generate any warning messages. {color:green}+1 javac{color}. The applied patch does not increase the total number of javac compiler warnings. {color:green}+1 findbugs{color}. The patch does not introduce any new Findbugs (version 1.3.9) warnings. {color:green}+1 release audit{color}. The applied patch does not increase the total number of release audit warnings. {color:green}+1 lineLengths{color}. The patch does not introduce lines longer than 100 {color:red}-1 site{color}. The patch appears to cause mvn site goal to fail. {color:red}-1 core tests{color}. The patch failed these unit tests: org.apache.hadoop.hbase.regionserver.TestSplitTransaction Test results: https://builds.apache.org/job/PreCommit-HBASE-Build/8229//testReport/ Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/8229//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-hadoop2-compat.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/8229//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-prefix-tree.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/8229//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-client.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/8229//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-common.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/8229//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-protocol.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/8229//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-server.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/8229//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-examples.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/8229//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-thrift.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/8229//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-hadoop-compat.html Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/8229//console This message is automatically generated. Support the mode where REST server authorizes proxy users - Key: HBASE-9866 URL: https://issues.apache.org/jira/browse/HBASE-9866 Project: HBase Issue Type: Improvement Reporter: Devaraj Das Assignee: Devaraj Das Fix For: 0.98.0, 0.99.0 Attachments: 9866-1.txt, 9866-2.txt, 9866-3.txt, 9866-4.txt, 9866-4.txt In one use case, someone was trying to authorize with the REST server as a proxy user. That mode is not supported today. The curl request would be something like (assuming SPNEGO auth) - {noformat} curl -i --negotiate -u : http://HOST:PORT/version/cluster?doas=USER {noformat} -- This message was sent by Atlassian JIRA (v6.1.4#6159)
[jira] [Commented] (HBASE-9866) Support the mode where REST server authorizes proxy users
[ https://issues.apache.org/jira/browse/HBASE-9866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13853351#comment-13853351 ] Hudson commented on HBASE-9866: --- SUCCESS: Integrated in HBase-TRUNK #4739 (See [https://builds.apache.org/job/HBase-TRUNK/4739/]) HBASE-9866. Support the mode where REST server authorizes proxy users (ddas: rev 1552385) * /hbase/trunk/hbase-common/src/main/resources/hbase-default.xml * /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/rest/RESTServlet.java * /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/rest/RESTServletContainer.java Support the mode where REST server authorizes proxy users - Key: HBASE-9866 URL: https://issues.apache.org/jira/browse/HBASE-9866 Project: HBase Issue Type: Improvement Reporter: Devaraj Das Assignee: Devaraj Das Fix For: 0.98.0, 0.99.0 Attachments: 9866-1.txt, 9866-2.txt, 9866-3.txt, 9866-4.txt, 9866-4.txt In one use case, someone was trying to authorize with the REST server as a proxy user. That mode is not supported today. The curl request would be something like (assuming SPNEGO auth) - {noformat} curl -i --negotiate -u : http://HOST:PORT/version/cluster?doas=USER {noformat} -- This message was sent by Atlassian JIRA (v6.1.4#6159)
[jira] [Commented] (HBASE-9866) Support the mode where REST server authorizes proxy users
[ https://issues.apache.org/jira/browse/HBASE-9866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13853380#comment-13853380 ] Hudson commented on HBASE-9866: --- FAILURE: Integrated in HBase-0.98 #24 (See [https://builds.apache.org/job/HBase-0.98/24/]) HBASE-9866. Support the mode where REST server authorizes proxy users (ddas: rev 1552386) * /hbase/branches/0.98/hbase-common/src/main/resources/hbase-default.xml * /hbase/branches/0.98/hbase-server/src/main/java/org/apache/hadoop/hbase/rest/RESTServlet.java * /hbase/branches/0.98/hbase-server/src/main/java/org/apache/hadoop/hbase/rest/RESTServletContainer.java Support the mode where REST server authorizes proxy users - Key: HBASE-9866 URL: https://issues.apache.org/jira/browse/HBASE-9866 Project: HBase Issue Type: Improvement Reporter: Devaraj Das Assignee: Devaraj Das Fix For: 0.98.0, 0.99.0 Attachments: 9866-1.txt, 9866-2.txt, 9866-3.txt, 9866-4.txt, 9866-4.txt In one use case, someone was trying to authorize with the REST server as a proxy user. That mode is not supported today. The curl request would be something like (assuming SPNEGO auth) - {noformat} curl -i --negotiate -u : http://HOST:PORT/version/cluster?doas=USER {noformat} -- This message was sent by Atlassian JIRA (v6.1.4#6159)
[jira] [Commented] (HBASE-9866) Support the mode where REST server authorizes proxy users
[ https://issues.apache.org/jira/browse/HBASE-9866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13853523#comment-13853523 ] Hudson commented on HBASE-9866: --- FAILURE: Integrated in HBase-0.98-on-Hadoop-1.1 #22 (See [https://builds.apache.org/job/HBase-0.98-on-Hadoop-1.1/22/]) HBASE-9866. Support the mode where REST server authorizes proxy users (ddas: rev 1552386) * /hbase/branches/0.98/hbase-common/src/main/resources/hbase-default.xml * /hbase/branches/0.98/hbase-server/src/main/java/org/apache/hadoop/hbase/rest/RESTServlet.java * /hbase/branches/0.98/hbase-server/src/main/java/org/apache/hadoop/hbase/rest/RESTServletContainer.java Support the mode where REST server authorizes proxy users - Key: HBASE-9866 URL: https://issues.apache.org/jira/browse/HBASE-9866 Project: HBase Issue Type: Improvement Reporter: Devaraj Das Assignee: Devaraj Das Fix For: 0.98.0, 0.99.0 Attachments: 9866-1.txt, 9866-2.txt, 9866-3.txt, 9866-4.txt, 9866-4.txt In one use case, someone was trying to authorize with the REST server as a proxy user. That mode is not supported today. The curl request would be something like (assuming SPNEGO auth) - {noformat} curl -i --negotiate -u : http://HOST:PORT/version/cluster?doas=USER {noformat} -- This message was sent by Atlassian JIRA (v6.1.4#6159)
[jira] [Commented] (HBASE-9866) Support the mode where REST server authorizes proxy users
[ https://issues.apache.org/jira/browse/HBASE-9866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13853598#comment-13853598 ] Hudson commented on HBASE-9866: --- SUCCESS: Integrated in HBase-TRUNK-on-Hadoop-1.1 #13 (See [https://builds.apache.org/job/HBase-TRUNK-on-Hadoop-1.1/13/]) HBASE-9866. Support the mode where REST server authorizes proxy users (ddas: rev 1552385) * /hbase/trunk/hbase-common/src/main/resources/hbase-default.xml * /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/rest/RESTServlet.java * /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/rest/RESTServletContainer.java Support the mode where REST server authorizes proxy users - Key: HBASE-9866 URL: https://issues.apache.org/jira/browse/HBASE-9866 Project: HBase Issue Type: Improvement Reporter: Devaraj Das Assignee: Devaraj Das Fix For: 0.98.0, 0.99.0 Attachments: 9866-1.txt, 9866-2.txt, 9866-3.txt, 9866-4.txt, 9866-4.txt In one use case, someone was trying to authorize with the REST server as a proxy user. That mode is not supported today. The curl request would be something like (assuming SPNEGO auth) - {noformat} curl -i --negotiate -u : http://HOST:PORT/version/cluster?doas=USER {noformat} -- This message was sent by Atlassian JIRA (v6.1.4#6159)
[jira] [Commented] (HBASE-9866) Support the mode where REST server authorizes proxy users
[ https://issues.apache.org/jira/browse/HBASE-9866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13852069#comment-13852069 ] Andrew Purtell commented on HBASE-9866: --- The general idea is fine, but I don't have time to look at this in detail. Reading briefly above looks like [~jxiang] provided review, ping him? Support the mode where REST server authorizes proxy users - Key: HBASE-9866 URL: https://issues.apache.org/jira/browse/HBASE-9866 Project: HBase Issue Type: Improvement Reporter: Devaraj Das Assignee: Devaraj Das Fix For: 0.99.0 Attachments: 9866-1.txt, 9866-2.txt, 9866-3.txt, 9866-4.txt In one use case, someone was trying to authorize with the REST server as a proxy user. That mode is not supported today. The curl request would be something like (assuming SPNEGO auth) - {noformat} curl -i --negotiate -u : http://HOST:PORT/version/cluster?doas=USER {noformat} -- This message was sent by Atlassian JIRA (v6.1.4#6159)
[jira] [Commented] (HBASE-9866) Support the mode where REST server authorizes proxy users
[ https://issues.apache.org/jira/browse/HBASE-9866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13852085#comment-13852085 ] Jimmy Xiang commented on HBASE-9866: I am fine with the change. If we are ok with the general idea, +1 then. Support the mode where REST server authorizes proxy users - Key: HBASE-9866 URL: https://issues.apache.org/jira/browse/HBASE-9866 Project: HBase Issue Type: Improvement Reporter: Devaraj Das Assignee: Devaraj Das Fix For: 0.99.0 Attachments: 9866-1.txt, 9866-2.txt, 9866-3.txt, 9866-4.txt In one use case, someone was trying to authorize with the REST server as a proxy user. That mode is not supported today. The curl request would be something like (assuming SPNEGO auth) - {noformat} curl -i --negotiate -u : http://HOST:PORT/version/cluster?doas=USER {noformat} -- This message was sent by Atlassian JIRA (v6.1.4#6159)
[jira] [Commented] (HBASE-9866) Support the mode where REST server authorizes proxy users
[ https://issues.apache.org/jira/browse/HBASE-9866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13852162#comment-13852162 ] Devaraj Das commented on HBASE-9866: Thanks, folks. Andrew, would you be okay with this committed to 0.98? Support the mode where REST server authorizes proxy users - Key: HBASE-9866 URL: https://issues.apache.org/jira/browse/HBASE-9866 Project: HBase Issue Type: Improvement Reporter: Devaraj Das Assignee: Devaraj Das Fix For: 0.99.0 Attachments: 9866-1.txt, 9866-2.txt, 9866-3.txt, 9866-4.txt In one use case, someone was trying to authorize with the REST server as a proxy user. That mode is not supported today. The curl request would be something like (assuming SPNEGO auth) - {noformat} curl -i --negotiate -u : http://HOST:PORT/version/cluster?doas=USER {noformat} -- This message was sent by Atlassian JIRA (v6.1.4#6159)
[jira] [Commented] (HBASE-9866) Support the mode where REST server authorizes proxy users
[ https://issues.apache.org/jira/browse/HBASE-9866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13852163#comment-13852163 ] Andrew Purtell commented on HBASE-9866: --- bq. Andrew, would you be okay with this committed to 0.98? +1 Support the mode where REST server authorizes proxy users - Key: HBASE-9866 URL: https://issues.apache.org/jira/browse/HBASE-9866 Project: HBase Issue Type: Improvement Reporter: Devaraj Das Assignee: Devaraj Das Fix For: 0.99.0 Attachments: 9866-1.txt, 9866-2.txt, 9866-3.txt, 9866-4.txt In one use case, someone was trying to authorize with the REST server as a proxy user. That mode is not supported today. The curl request would be something like (assuming SPNEGO auth) - {noformat} curl -i --negotiate -u : http://HOST:PORT/version/cluster?doas=USER {noformat} -- This message was sent by Atlassian JIRA (v6.1.4#6159)
[jira] [Commented] (HBASE-9866) Support the mode where REST server authorizes proxy users
[ https://issues.apache.org/jira/browse/HBASE-9866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13851443#comment-13851443 ] Devaraj Das commented on HBASE-9866: Ping... Any comments. Good to commit? Support the mode where REST server authorizes proxy users - Key: HBASE-9866 URL: https://issues.apache.org/jira/browse/HBASE-9866 Project: HBase Issue Type: Improvement Reporter: Devaraj Das Assignee: Devaraj Das Fix For: 0.99.0 Attachments: 9866-1.txt, 9866-2.txt, 9866-3.txt, 9866-4.txt In one use case, someone was trying to authorize with the REST server as a proxy user. That mode is not supported today. The curl request would be something like (assuming SPNEGO auth) - {noformat} curl -i --negotiate -u : http://HOST:PORT/version/cluster?doas=USER {noformat} -- This message was sent by Atlassian JIRA (v6.1.4#6159)
[jira] [Commented] (HBASE-9866) Support the mode where REST server authorizes proxy users
[ https://issues.apache.org/jira/browse/HBASE-9866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13819668#comment-13819668 ] Jimmy Xiang commented on HBASE-9866: Can we 1. change doas to doAs to be aligned with other Hadoop components, 2, use the configuration in RESTServlet instance instead of the servlet context, 3, throw an exception if the feature is disabled while someone passed in doAs parameter to avoid confusing? Thanks. Support the mode where REST server authorizes proxy users - Key: HBASE-9866 URL: https://issues.apache.org/jira/browse/HBASE-9866 Project: HBase Issue Type: Improvement Reporter: Devaraj Das Assignee: Devaraj Das Fix For: 0.96.1 Attachments: 9866-1.txt, 9866-2.txt In one use case, someone was trying to authorize with the REST server as a proxy user. That mode is not supported today. The curl request would be something like (assuming SPNEGO auth) - {noformat} curl -i --negotiate -u : http://HOST:PORT/version/cluster?doas=USER {noformat} -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (HBASE-9866) Support the mode where REST server authorizes proxy users
[ https://issues.apache.org/jira/browse/HBASE-9866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13819695#comment-13819695 ] Jimmy Xiang commented on HBASE-9866: Just one minor issue. {code} +if (!proxyConfigured) { {code} should be {code} +if (doAsUserFromQuery != null !proxyConfigured) { {code} Other than that, it is fine with me. Not sure if [~apurtell], or [~toffer] have any comments. Support the mode where REST server authorizes proxy users - Key: HBASE-9866 URL: https://issues.apache.org/jira/browse/HBASE-9866 Project: HBase Issue Type: Improvement Reporter: Devaraj Das Assignee: Devaraj Das Fix For: 0.96.1 Attachments: 9866-1.txt, 9866-2.txt, 9866-3.txt In one use case, someone was trying to authorize with the REST server as a proxy user. That mode is not supported today. The curl request would be something like (assuming SPNEGO auth) - {noformat} curl -i --negotiate -u : http://HOST:PORT/version/cluster?doas=USER {noformat} -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (HBASE-9866) Support the mode where REST server authorizes proxy users
[ https://issues.apache.org/jira/browse/HBASE-9866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13819736#comment-13819736 ] Hadoop QA commented on HBASE-9866: -- {color:red}-1 overall{color}. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12613238/9866-2.txt against trunk revision . {color:green}+1 @author{color}. The patch does not contain any @author tags. {color:red}-1 tests included{color}. The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. {color:green}+1 hadoop1.0{color}. The patch compiles against the hadoop 1.0 profile. {color:green}+1 hadoop2.0{color}. The patch compiles against the hadoop 2.0 profile. {color:red}-1 javadoc{color}. The javadoc tool appears to have generated 1 warning messages. {color:green}+1 javac{color}. The applied patch does not increase the total number of javac compiler warnings. {color:green}+1 findbugs{color}. The patch does not introduce any new Findbugs (version 1.3.9) warnings. {color:green}+1 release audit{color}. The applied patch does not increase the total number of release audit warnings. {color:green}+1 lineLengths{color}. The patch does not introduce lines longer than 100 {color:red}-1 site{color}. The patch appears to cause mvn site goal to fail. {color:red}-1 core tests{color}. The patch failed these unit tests: {color:red}-1 core zombie tests{color}. There are 1 zombie test(s): at org.apache.hadoop.hbase.TestZooKeeper.testRegionAssignmentAfterMasterRecoveryDueToZKExpiry(TestZooKeeper.java:488) Test results: https://builds.apache.org/job/PreCommit-HBASE-Build/7816//testReport/ Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7816//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-prefix-tree.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7816//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-client.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7816//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-common.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7816//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-protocol.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7816//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-server.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7816//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-hadoop1-compat.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7816//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-examples.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7816//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-thrift.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7816//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-hadoop-compat.html Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/7816//console This message is automatically generated. Support the mode where REST server authorizes proxy users - Key: HBASE-9866 URL: https://issues.apache.org/jira/browse/HBASE-9866 Project: HBase Issue Type: Improvement Reporter: Devaraj Das Assignee: Devaraj Das Fix For: 0.96.1 Attachments: 9866-1.txt, 9866-2.txt, 9866-3.txt, 9866-4.txt In one use case, someone was trying to authorize with the REST server as a proxy user. That mode is not supported today. The curl request would be something like (assuming SPNEGO auth) - {noformat} curl -i --negotiate -u : http://HOST:PORT/version/cluster?doas=USER {noformat} -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (HBASE-9866) Support the mode where REST server authorizes proxy users
[ https://issues.apache.org/jira/browse/HBASE-9866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13814046#comment-13814046 ] Francis Liu commented on HBASE-9866: This will make auditing a bit hard since the real user is lost when it hits the RS. Can we log a doAs message so we can trace back? Given that we're adding doAs support in reset. It's prolly a good idea to provide a way to refresh the ProxyUsers config without restarting the server. BTW do the other webservices support doAs (hdfs's proxy, webhcat, etc)? Support the mode where REST server authorizes proxy users - Key: HBASE-9866 URL: https://issues.apache.org/jira/browse/HBASE-9866 Project: HBase Issue Type: Improvement Reporter: Devaraj Das Assignee: Devaraj Das Fix For: 0.96.1 Attachments: 9866-1.txt In one use case, someone was trying to authorize with the REST server as a proxy user. That mode is not supported today. The curl request would be something like (assuming SPNEGO auth) - {noformat} curl -i --negotiate -u : http://HOST:PORT/version/cluster?doas=USER {noformat} -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (HBASE-9866) Support the mode where REST server authorizes proxy users
[ https://issues.apache.org/jira/browse/HBASE-9866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13814050#comment-13814050 ] Jimmy Xiang commented on HBASE-9866: In case the REST server shares the same configuration with rs/master, can we have a config and turn this feature off by default? Support the mode where REST server authorizes proxy users - Key: HBASE-9866 URL: https://issues.apache.org/jira/browse/HBASE-9866 Project: HBase Issue Type: Improvement Reporter: Devaraj Das Assignee: Devaraj Das Fix For: 0.96.1 Attachments: 9866-1.txt In one use case, someone was trying to authorize with the REST server as a proxy user. That mode is not supported today. The curl request would be something like (assuming SPNEGO auth) - {noformat} curl -i --negotiate -u : http://HOST:PORT/version/cluster?doas=USER {noformat} -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (HBASE-9866) Support the mode where REST server authorizes proxy users
[ https://issues.apache.org/jira/browse/HBASE-9866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13814149#comment-13814149 ] Devaraj Das commented on HBASE-9866: [~toffer], yes, services like webhcat supports doAs, but they have different config knobs for configuring the groups/ip-addresses. Maybe they map these configurations to the underlying Hadoop configurations internally. [~jxiang], okay will add a configuration for turning this feature on/off... Support the mode where REST server authorizes proxy users - Key: HBASE-9866 URL: https://issues.apache.org/jira/browse/HBASE-9866 Project: HBase Issue Type: Improvement Reporter: Devaraj Das Assignee: Devaraj Das Fix For: 0.96.1 Attachments: 9866-1.txt In one use case, someone was trying to authorize with the REST server as a proxy user. That mode is not supported today. The curl request would be something like (assuming SPNEGO auth) - {noformat} curl -i --negotiate -u : http://HOST:PORT/version/cluster?doas=USER {noformat} -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (HBASE-9866) Support the mode where REST server authorizes proxy users
[ https://issues.apache.org/jira/browse/HBASE-9866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13813365#comment-13813365 ] Devaraj Das commented on HBASE-9866: Definitely, we need to be careful about configuring things with the potential security holes in mind. Also, one can choose to disable this by not configuring the proxy user settings for the REST server. Right? Support the mode where REST server authorizes proxy users - Key: HBASE-9866 URL: https://issues.apache.org/jira/browse/HBASE-9866 Project: HBase Issue Type: Improvement Reporter: Devaraj Das Assignee: Devaraj Das Fix For: 0.96.1 Attachments: 9866-1.txt In one use case, someone was trying to authorize with the REST server as a proxy user. That mode is not supported today. The curl request would be something like (assuming SPNEGO auth) - {noformat} curl -i --negotiate -u : http://HOST:PORT/version/cluster?doas=USER {noformat} -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (HBASE-9866) Support the mode where REST server authorizes proxy users
[ https://issues.apache.org/jira/browse/HBASE-9866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13812064#comment-13812064 ] Jimmy Xiang commented on HBASE-9866: I saw that. It is something like user A is allowed to do something on behalf of user B, now let user C to do it on behalf of user B instead, if allowed. If A == C and they share the same configuration, it may be fine. Now, A could be different from C. Even they are the same, the configuration could be different since one is the REST server (i,e, HBase client side), the other is on the HBase server (master/rs) side. Support the mode where REST server authorizes proxy users - Key: HBASE-9866 URL: https://issues.apache.org/jira/browse/HBASE-9866 Project: HBase Issue Type: Improvement Reporter: Devaraj Das Assignee: Devaraj Das Fix For: 0.96.1 Attachments: 9866-1.txt In one use case, someone was trying to authorize with the REST server as a proxy user. That mode is not supported today. The curl request would be something like (assuming SPNEGO auth) - {noformat} curl -i --negotiate -u : http://HOST:PORT/version/cluster?doas=USER {noformat} -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (HBASE-9866) Support the mode where REST server authorizes proxy users
[ https://issues.apache.org/jira/browse/HBASE-9866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13811471#comment-13811471 ] Jimmy Xiang commented on HBASE-9866: bq. + Lock lock = locker.acquireLock(effectiveUser.get().getUserName()); Are we sure effectiveUser is always set even when SPENGO/security is not enabled? bq. final String doAsUserFromQuery = request.getParameter(doas); Should we use parameter doAs? Can we make sure there is no javadoc/findbugs warnings? Another thing is that we have two proxy users. One is the user authenticated with SPENGO. The other is the real user. We switch the proxy user in the middle. Is this a security concern? I was wondering if Knox should talks to HBase directly as a proxy, instead of going through REST server as another level proxying? [~toffer], any comments? Support the mode where REST server authorizes proxy users - Key: HBASE-9866 URL: https://issues.apache.org/jira/browse/HBASE-9866 Project: HBase Issue Type: Improvement Reporter: Devaraj Das Assignee: Devaraj Das Fix For: 0.96.1 Attachments: 9866-1.txt In one use case, someone was trying to authorize with the REST server as a proxy user. That mode is not supported today. The curl request would be something like (assuming SPNEGO auth) - {noformat} curl -i --negotiate -u : http://HOST:PORT/version/cluster?doas=USER {noformat} -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (HBASE-9866) Support the mode where REST server authorizes proxy users
[ https://issues.apache.org/jira/browse/HBASE-9866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13811674#comment-13811674 ] Dilli Arumugam commented on HBASE-9866: --- Knox talks only REST to Hadoop services. Knox unified and secure REST endpoint to its client, for all downstream REST end points of Hadoop services. Support the mode where REST server authorizes proxy users - Key: HBASE-9866 URL: https://issues.apache.org/jira/browse/HBASE-9866 Project: HBase Issue Type: Improvement Reporter: Devaraj Das Assignee: Devaraj Das Fix For: 0.96.1 Attachments: 9866-1.txt In one use case, someone was trying to authorize with the REST server as a proxy user. That mode is not supported today. The curl request would be something like (assuming SPNEGO auth) - {noformat} curl -i --negotiate -u : http://HOST:PORT/version/cluster?doas=USER {noformat} -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (HBASE-9866) Support the mode where REST server authorizes proxy users
[ https://issues.apache.org/jira/browse/HBASE-9866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13811801#comment-13811801 ] Devaraj Das commented on HBASE-9866: bq. Are we sure effectiveUser is always set even when SPENGO/security is not enabled? Yes. The constructor of RESTServlet initializes the realUser which is the initial value of effectiveUser. bq. Should we use parameter doAs? I'll update this.. bq. Can we make sure there is no javadoc/findbugs warnings? Yes. I'll look at this.. bq. Another thing is that we have two proxy users. One is the user authenticated with SPENGO. The other is the real user. We switch the proxy user in the middle. Is this a security concern? We have proxy user authorization check before the switch is made. {code}ProxyUsers.authorize(ugi, request.getRemoteAddr(), conf);{code}. The proxy user authorization check will fail unless the user making the REST call is authorized to perform the doAs on behalf of the configured group and he is coming from a known IP address. No new security concern here .. Support the mode where REST server authorizes proxy users - Key: HBASE-9866 URL: https://issues.apache.org/jira/browse/HBASE-9866 Project: HBase Issue Type: Improvement Reporter: Devaraj Das Assignee: Devaraj Das Fix For: 0.96.1 Attachments: 9866-1.txt In one use case, someone was trying to authorize with the REST server as a proxy user. That mode is not supported today. The curl request would be something like (assuming SPNEGO auth) - {noformat} curl -i --negotiate -u : http://HOST:PORT/version/cluster?doas=USER {noformat} -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (HBASE-9866) Support the mode where REST server authorizes proxy users
[ https://issues.apache.org/jira/browse/HBASE-9866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13810395#comment-13810395 ] Jimmy Xiang commented on HBASE-9866: Why do we need this? REST server does support proxy users. You should use -u to specify the user, right? curl -i --negotiate -u USER/DOMAIN http://HOST:PORT/version/cluster Support the mode where REST server authorizes proxy users - Key: HBASE-9866 URL: https://issues.apache.org/jira/browse/HBASE-9866 Project: HBase Issue Type: Improvement Reporter: Devaraj Das Assignee: Devaraj Das Fix For: 0.96.1 Attachments: 9866-1.txt In one use case, someone was trying to authorize with the REST server as a proxy user. That mode is not supported today. The curl request would be something like (assuming SPNEGO auth) - {noformat} curl -i --negotiate -u : http://HOST:PORT/version/cluster?doas=USER {noformat} -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (HBASE-9866) Support the mode where REST server authorizes proxy users
[ https://issues.apache.org/jira/browse/HBASE-9866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13810500#comment-13810500 ] Devaraj Das commented on HBASE-9866: I see. Let me check that aspect then. Support the mode where REST server authorizes proxy users - Key: HBASE-9866 URL: https://issues.apache.org/jira/browse/HBASE-9866 Project: HBase Issue Type: Improvement Reporter: Devaraj Das Assignee: Devaraj Das Fix For: 0.96.1 Attachments: 9866-1.txt In one use case, someone was trying to authorize with the REST server as a proxy user. That mode is not supported today. The curl request would be something like (assuming SPNEGO auth) - {noformat} curl -i --negotiate -u : http://HOST:PORT/version/cluster?doas=USER {noformat} -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (HBASE-9866) Support the mode where REST server authorizes proxy users
[ https://issues.apache.org/jira/browse/HBASE-9866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13810773#comment-13810773 ] Dilli Arumugam commented on HBASE-9866: --- In response to Question from Jimmy Why do we need this? REST server does support proxy users. You should use -u to specify the user, right? curl -i --negotiate -u USER/DOMAIN http://HOST:PORT/version/cluster We need this for Apache Knox. Apache Knox provides perimeter security. The flow would be Rest Client - Knox - HBase Rest Gateway Knox authenticates its Rest client using Http Basic. Knox itself authenticates to HBase Rest Gateway using SPNego. Then, Knox proxies for the end user. So, HBase Rest gateway should allow Knox to pass doAs parameter with the value of end user identity. Support the mode where REST server authorizes proxy users - Key: HBASE-9866 URL: https://issues.apache.org/jira/browse/HBASE-9866 Project: HBase Issue Type: Improvement Reporter: Devaraj Das Assignee: Devaraj Das Fix For: 0.96.1 Attachments: 9866-1.txt In one use case, someone was trying to authorize with the REST server as a proxy user. That mode is not supported today. The curl request would be something like (assuming SPNEGO auth) - {noformat} curl -i --negotiate -u : http://HOST:PORT/version/cluster?doas=USER {noformat} -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (HBASE-9866) Support the mode where REST server authorizes proxy users
[ https://issues.apache.org/jira/browse/HBASE-9866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13810808#comment-13810808 ] Dilli Arumugam commented on HBASE-9866: --- In the context of curl usage curl -i --negotiate -u USER/DOMAIN http://HOST:PORT/version/cluster As far as I know and tested, the usage is curl -i --negotiate -u : http://HOST:PORT/version/cluster Value of option -u is ignored. The identity of the caller is established based on the kerberos ticket in ticket cache. Kerberos ticket would have been populated by a call to kinit. In the context of Knox usage, the caller identity established by kerberos ticket is that of knox. Knox has to tell HBase Rest gateway that the call is made on behalf of specific end user. That end user identity has to go in as doAs query parameter value. That is how it happens for WebHDFS, Oozie and WebHCat calls from Knox. Support the mode where REST server authorizes proxy users - Key: HBASE-9866 URL: https://issues.apache.org/jira/browse/HBASE-9866 Project: HBase Issue Type: Improvement Reporter: Devaraj Das Assignee: Devaraj Das Fix For: 0.96.1 Attachments: 9866-1.txt In one use case, someone was trying to authorize with the REST server as a proxy user. That mode is not supported today. The curl request would be something like (assuming SPNEGO auth) - {noformat} curl -i --negotiate -u : http://HOST:PORT/version/cluster?doas=USER {noformat} -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (HBASE-9866) Support the mode where REST server authorizes proxy users
[ https://issues.apache.org/jira/browse/HBASE-9866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13810823#comment-13810823 ] Jimmy Xiang commented on HBASE-9866: Makes sense. Support the mode where REST server authorizes proxy users - Key: HBASE-9866 URL: https://issues.apache.org/jira/browse/HBASE-9866 Project: HBase Issue Type: Improvement Reporter: Devaraj Das Assignee: Devaraj Das Fix For: 0.96.1 Attachments: 9866-1.txt In one use case, someone was trying to authorize with the REST server as a proxy user. That mode is not supported today. The curl request would be something like (assuming SPNEGO auth) - {noformat} curl -i --negotiate -u : http://HOST:PORT/version/cluster?doas=USER {noformat} -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (HBASE-9866) Support the mode where REST server authorizes proxy users
[ https://issues.apache.org/jira/browse/HBASE-9866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13810951#comment-13810951 ] Hadoop QA commented on HBASE-9866: -- {color:red}-1 overall{color}. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12611231/9866-1.txt against trunk revision . {color:green}+1 @author{color}. The patch does not contain any @author tags. {color:red}-1 tests included{color}. The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. {color:green}+1 hadoop1.0{color}. The patch compiles against the hadoop 1.0 profile. {color:green}+1 hadoop2.0{color}. The patch compiles against the hadoop 2.0 profile. {color:red}-1 javadoc{color}. The javadoc tool appears to have generated 1 warning messages. {color:green}+1 javac{color}. The applied patch does not increase the total number of javac compiler warnings. {color:red}-1 findbugs{color}. The patch appears to introduce 1 new Findbugs (version 1.3.9) warnings. {color:green}+1 release audit{color}. The applied patch does not increase the total number of release audit warnings. {color:green}+1 lineLengths{color}. The patch does not introduce lines longer than 100 {color:red}-1 site{color}. The patch appears to cause mvn site goal to fail. {color:green}+1 core tests{color}. The patch passed unit tests in . Test results: https://builds.apache.org/job/PreCommit-HBASE-Build/7696//testReport/ Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7696//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-prefix-tree.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7696//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-client.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7696//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-common.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7696//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-protocol.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7696//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-server.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7696//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-hadoop1-compat.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7696//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-examples.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7696//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-thrift.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/7696//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-hadoop-compat.html Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/7696//console This message is automatically generated. Support the mode where REST server authorizes proxy users - Key: HBASE-9866 URL: https://issues.apache.org/jira/browse/HBASE-9866 Project: HBase Issue Type: Improvement Reporter: Devaraj Das Assignee: Devaraj Das Fix For: 0.96.1 Attachments: 9866-1.txt In one use case, someone was trying to authorize with the REST server as a proxy user. That mode is not supported today. The curl request would be something like (assuming SPNEGO auth) - {noformat} curl -i --negotiate -u : http://HOST:PORT/version/cluster?doas=USER {noformat} -- This message was sent by Atlassian JIRA (v6.1#6144)