[jira] [Commented] (HBASE-9866) Support the mode where REST server authorizes proxy users
[
https://issues.apache.org/jira/browse/HBASE-9866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13852758#comment-13852758
]
Hadoop QA commented on HBASE-9866:
--
{color:red}-1 overall{color}. Here are the results of testing the latest
attachment
http://issues.apache.org/jira/secure/attachment/12619504/9866-4.txt
against trunk revision .
ATTACHMENT ID: 12619504
{color:green}+1 @author{color}. The patch does not contain any @author
tags.
{color:red}-1 tests included{color}. The patch doesn't appear to include
any new or modified tests.
Please justify why no new tests are needed for this
patch.
Also please list what manual steps were performed to
verify this patch.
{color:green}+1 hadoop1.0{color}. The patch compiles against the hadoop
1.0 profile.
{color:green}+1 hadoop1.1{color}. The patch compiles against the hadoop
1.1 profile.
{color:green}+1 javadoc{color}. The javadoc tool did not generate any
warning messages.
{color:green}+1 javac{color}. The applied patch does not increase the
total number of javac compiler warnings.
{color:green}+1 findbugs{color}. The patch does not introduce any new
Findbugs (version 1.3.9) warnings.
{color:green}+1 release audit{color}. The applied patch does not increase
the total number of release audit warnings.
{color:green}+1 lineLengths{color}. The patch does not introduce lines
longer than 100
{color:red}-1 site{color}. The patch appears to cause mvn site goal to
fail.
{color:red}-1 core tests{color}. The patch failed these unit tests:
org.apache.hadoop.hbase.regionserver.TestSplitTransaction
Test results:
https://builds.apache.org/job/PreCommit-HBASE-Build/8229//testReport/
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/8229//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-hadoop2-compat.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/8229//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-prefix-tree.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/8229//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-client.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/8229//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-common.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/8229//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-protocol.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/8229//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-server.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/8229//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-examples.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/8229//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-thrift.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/8229//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-hadoop-compat.html
Console output:
https://builds.apache.org/job/PreCommit-HBASE-Build/8229//console
This message is automatically generated.
Support the mode where REST server authorizes proxy users
-
Key: HBASE-9866
URL: https://issues.apache.org/jira/browse/HBASE-9866
Project: HBase
Issue Type: Improvement
Reporter: Devaraj Das
Assignee: Devaraj Das
Fix For: 0.98.0, 0.99.0
Attachments: 9866-1.txt, 9866-2.txt, 9866-3.txt, 9866-4.txt,
9866-4.txt
In one use case, someone was trying to authorize with the REST server as a
proxy user. That mode is not supported today.
The curl request would be something like (assuming SPNEGO auth) -
{noformat}
curl -i --negotiate -u : http://HOST:PORT/version/cluster?doas=USER
{noformat}
--
This message was sent by Atlassian JIRA
(v6.1.4#6159)
[jira] [Commented] (HBASE-9866) Support the mode where REST server authorizes proxy users
[
https://issues.apache.org/jira/browse/HBASE-9866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13853351#comment-13853351
]
Hudson commented on HBASE-9866:
---
SUCCESS: Integrated in HBase-TRUNK #4739 (See
[https://builds.apache.org/job/HBase-TRUNK/4739/])
HBASE-9866. Support the mode where REST server authorizes proxy users (ddas:
rev 1552385)
* /hbase/trunk/hbase-common/src/main/resources/hbase-default.xml
*
/hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/rest/RESTServlet.java
*
/hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/rest/RESTServletContainer.java
Support the mode where REST server authorizes proxy users
-
Key: HBASE-9866
URL: https://issues.apache.org/jira/browse/HBASE-9866
Project: HBase
Issue Type: Improvement
Reporter: Devaraj Das
Assignee: Devaraj Das
Fix For: 0.98.0, 0.99.0
Attachments: 9866-1.txt, 9866-2.txt, 9866-3.txt, 9866-4.txt,
9866-4.txt
In one use case, someone was trying to authorize with the REST server as a
proxy user. That mode is not supported today.
The curl request would be something like (assuming SPNEGO auth) -
{noformat}
curl -i --negotiate -u : http://HOST:PORT/version/cluster?doas=USER
{noformat}
--
This message was sent by Atlassian JIRA
(v6.1.4#6159)
[jira] [Commented] (HBASE-9866) Support the mode where REST server authorizes proxy users
[
https://issues.apache.org/jira/browse/HBASE-9866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13853380#comment-13853380
]
Hudson commented on HBASE-9866:
---
FAILURE: Integrated in HBase-0.98 #24 (See
[https://builds.apache.org/job/HBase-0.98/24/])
HBASE-9866. Support the mode where REST server authorizes proxy users (ddas:
rev 1552386)
* /hbase/branches/0.98/hbase-common/src/main/resources/hbase-default.xml
*
/hbase/branches/0.98/hbase-server/src/main/java/org/apache/hadoop/hbase/rest/RESTServlet.java
*
/hbase/branches/0.98/hbase-server/src/main/java/org/apache/hadoop/hbase/rest/RESTServletContainer.java
Support the mode where REST server authorizes proxy users
-
Key: HBASE-9866
URL: https://issues.apache.org/jira/browse/HBASE-9866
Project: HBase
Issue Type: Improvement
Reporter: Devaraj Das
Assignee: Devaraj Das
Fix For: 0.98.0, 0.99.0
Attachments: 9866-1.txt, 9866-2.txt, 9866-3.txt, 9866-4.txt,
9866-4.txt
In one use case, someone was trying to authorize with the REST server as a
proxy user. That mode is not supported today.
The curl request would be something like (assuming SPNEGO auth) -
{noformat}
curl -i --negotiate -u : http://HOST:PORT/version/cluster?doas=USER
{noformat}
--
This message was sent by Atlassian JIRA
(v6.1.4#6159)
[jira] [Commented] (HBASE-9866) Support the mode where REST server authorizes proxy users
[
https://issues.apache.org/jira/browse/HBASE-9866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13853523#comment-13853523
]
Hudson commented on HBASE-9866:
---
FAILURE: Integrated in HBase-0.98-on-Hadoop-1.1 #22 (See
[https://builds.apache.org/job/HBase-0.98-on-Hadoop-1.1/22/])
HBASE-9866. Support the mode where REST server authorizes proxy users (ddas:
rev 1552386)
* /hbase/branches/0.98/hbase-common/src/main/resources/hbase-default.xml
*
/hbase/branches/0.98/hbase-server/src/main/java/org/apache/hadoop/hbase/rest/RESTServlet.java
*
/hbase/branches/0.98/hbase-server/src/main/java/org/apache/hadoop/hbase/rest/RESTServletContainer.java
Support the mode where REST server authorizes proxy users
-
Key: HBASE-9866
URL: https://issues.apache.org/jira/browse/HBASE-9866
Project: HBase
Issue Type: Improvement
Reporter: Devaraj Das
Assignee: Devaraj Das
Fix For: 0.98.0, 0.99.0
Attachments: 9866-1.txt, 9866-2.txt, 9866-3.txt, 9866-4.txt,
9866-4.txt
In one use case, someone was trying to authorize with the REST server as a
proxy user. That mode is not supported today.
The curl request would be something like (assuming SPNEGO auth) -
{noformat}
curl -i --negotiate -u : http://HOST:PORT/version/cluster?doas=USER
{noformat}
--
This message was sent by Atlassian JIRA
(v6.1.4#6159)
[jira] [Commented] (HBASE-9866) Support the mode where REST server authorizes proxy users
[
https://issues.apache.org/jira/browse/HBASE-9866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13853598#comment-13853598
]
Hudson commented on HBASE-9866:
---
SUCCESS: Integrated in HBase-TRUNK-on-Hadoop-1.1 #13 (See
[https://builds.apache.org/job/HBase-TRUNK-on-Hadoop-1.1/13/])
HBASE-9866. Support the mode where REST server authorizes proxy users (ddas:
rev 1552385)
* /hbase/trunk/hbase-common/src/main/resources/hbase-default.xml
*
/hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/rest/RESTServlet.java
*
/hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/rest/RESTServletContainer.java
Support the mode where REST server authorizes proxy users
-
Key: HBASE-9866
URL: https://issues.apache.org/jira/browse/HBASE-9866
Project: HBase
Issue Type: Improvement
Reporter: Devaraj Das
Assignee: Devaraj Das
Fix For: 0.98.0, 0.99.0
Attachments: 9866-1.txt, 9866-2.txt, 9866-3.txt, 9866-4.txt,
9866-4.txt
In one use case, someone was trying to authorize with the REST server as a
proxy user. That mode is not supported today.
The curl request would be something like (assuming SPNEGO auth) -
{noformat}
curl -i --negotiate -u : http://HOST:PORT/version/cluster?doas=USER
{noformat}
--
This message was sent by Atlassian JIRA
(v6.1.4#6159)
[jira] [Commented] (HBASE-9866) Support the mode where REST server authorizes proxy users
[
https://issues.apache.org/jira/browse/HBASE-9866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13852069#comment-13852069
]
Andrew Purtell commented on HBASE-9866:
---
The general idea is fine, but I don't have time to look at this in detail.
Reading briefly above looks like [~jxiang] provided review, ping him?
Support the mode where REST server authorizes proxy users
-
Key: HBASE-9866
URL: https://issues.apache.org/jira/browse/HBASE-9866
Project: HBase
Issue Type: Improvement
Reporter: Devaraj Das
Assignee: Devaraj Das
Fix For: 0.99.0
Attachments: 9866-1.txt, 9866-2.txt, 9866-3.txt, 9866-4.txt
In one use case, someone was trying to authorize with the REST server as a
proxy user. That mode is not supported today.
The curl request would be something like (assuming SPNEGO auth) -
{noformat}
curl -i --negotiate -u : http://HOST:PORT/version/cluster?doas=USER
{noformat}
--
This message was sent by Atlassian JIRA
(v6.1.4#6159)
[jira] [Commented] (HBASE-9866) Support the mode where REST server authorizes proxy users
[
https://issues.apache.org/jira/browse/HBASE-9866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13852085#comment-13852085
]
Jimmy Xiang commented on HBASE-9866:
I am fine with the change. If we are ok with the general idea, +1 then.
Support the mode where REST server authorizes proxy users
-
Key: HBASE-9866
URL: https://issues.apache.org/jira/browse/HBASE-9866
Project: HBase
Issue Type: Improvement
Reporter: Devaraj Das
Assignee: Devaraj Das
Fix For: 0.99.0
Attachments: 9866-1.txt, 9866-2.txt, 9866-3.txt, 9866-4.txt
In one use case, someone was trying to authorize with the REST server as a
proxy user. That mode is not supported today.
The curl request would be something like (assuming SPNEGO auth) -
{noformat}
curl -i --negotiate -u : http://HOST:PORT/version/cluster?doas=USER
{noformat}
--
This message was sent by Atlassian JIRA
(v6.1.4#6159)
[jira] [Commented] (HBASE-9866) Support the mode where REST server authorizes proxy users
[
https://issues.apache.org/jira/browse/HBASE-9866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13852162#comment-13852162
]
Devaraj Das commented on HBASE-9866:
Thanks, folks. Andrew, would you be okay with this committed to 0.98?
Support the mode where REST server authorizes proxy users
-
Key: HBASE-9866
URL: https://issues.apache.org/jira/browse/HBASE-9866
Project: HBase
Issue Type: Improvement
Reporter: Devaraj Das
Assignee: Devaraj Das
Fix For: 0.99.0
Attachments: 9866-1.txt, 9866-2.txt, 9866-3.txt, 9866-4.txt
In one use case, someone was trying to authorize with the REST server as a
proxy user. That mode is not supported today.
The curl request would be something like (assuming SPNEGO auth) -
{noformat}
curl -i --negotiate -u : http://HOST:PORT/version/cluster?doas=USER
{noformat}
--
This message was sent by Atlassian JIRA
(v6.1.4#6159)
[jira] [Commented] (HBASE-9866) Support the mode where REST server authorizes proxy users
[
https://issues.apache.org/jira/browse/HBASE-9866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13852163#comment-13852163
]
Andrew Purtell commented on HBASE-9866:
---
bq. Andrew, would you be okay with this committed to 0.98?
+1
Support the mode where REST server authorizes proxy users
-
Key: HBASE-9866
URL: https://issues.apache.org/jira/browse/HBASE-9866
Project: HBase
Issue Type: Improvement
Reporter: Devaraj Das
Assignee: Devaraj Das
Fix For: 0.99.0
Attachments: 9866-1.txt, 9866-2.txt, 9866-3.txt, 9866-4.txt
In one use case, someone was trying to authorize with the REST server as a
proxy user. That mode is not supported today.
The curl request would be something like (assuming SPNEGO auth) -
{noformat}
curl -i --negotiate -u : http://HOST:PORT/version/cluster?doas=USER
{noformat}
--
This message was sent by Atlassian JIRA
(v6.1.4#6159)
[jira] [Commented] (HBASE-9866) Support the mode where REST server authorizes proxy users
[
https://issues.apache.org/jira/browse/HBASE-9866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13851443#comment-13851443
]
Devaraj Das commented on HBASE-9866:
Ping... Any comments. Good to commit?
Support the mode where REST server authorizes proxy users
-
Key: HBASE-9866
URL: https://issues.apache.org/jira/browse/HBASE-9866
Project: HBase
Issue Type: Improvement
Reporter: Devaraj Das
Assignee: Devaraj Das
Fix For: 0.99.0
Attachments: 9866-1.txt, 9866-2.txt, 9866-3.txt, 9866-4.txt
In one use case, someone was trying to authorize with the REST server as a
proxy user. That mode is not supported today.
The curl request would be something like (assuming SPNEGO auth) -
{noformat}
curl -i --negotiate -u : http://HOST:PORT/version/cluster?doas=USER
{noformat}
--
This message was sent by Atlassian JIRA
(v6.1.4#6159)
[jira] [Commented] (HBASE-9866) Support the mode where REST server authorizes proxy users
[
https://issues.apache.org/jira/browse/HBASE-9866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13819668#comment-13819668
]
Jimmy Xiang commented on HBASE-9866:
Can we 1. change doas to doAs to be aligned with other Hadoop components, 2,
use the configuration in RESTServlet instance instead of the servlet context,
3, throw an exception if the feature is disabled while someone passed in doAs
parameter to avoid confusing? Thanks.
Support the mode where REST server authorizes proxy users
-
Key: HBASE-9866
URL: https://issues.apache.org/jira/browse/HBASE-9866
Project: HBase
Issue Type: Improvement
Reporter: Devaraj Das
Assignee: Devaraj Das
Fix For: 0.96.1
Attachments: 9866-1.txt, 9866-2.txt
In one use case, someone was trying to authorize with the REST server as a
proxy user. That mode is not supported today.
The curl request would be something like (assuming SPNEGO auth) -
{noformat}
curl -i --negotiate -u : http://HOST:PORT/version/cluster?doas=USER
{noformat}
--
This message was sent by Atlassian JIRA
(v6.1#6144)
[jira] [Commented] (HBASE-9866) Support the mode where REST server authorizes proxy users
[
https://issues.apache.org/jira/browse/HBASE-9866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13819695#comment-13819695
]
Jimmy Xiang commented on HBASE-9866:
Just one minor issue.
{code}
+if (!proxyConfigured) {
{code}
should be
{code}
+if (doAsUserFromQuery != null !proxyConfigured) {
{code}
Other than that, it is fine with me. Not sure if [~apurtell], or [~toffer] have
any comments.
Support the mode where REST server authorizes proxy users
-
Key: HBASE-9866
URL: https://issues.apache.org/jira/browse/HBASE-9866
Project: HBase
Issue Type: Improvement
Reporter: Devaraj Das
Assignee: Devaraj Das
Fix For: 0.96.1
Attachments: 9866-1.txt, 9866-2.txt, 9866-3.txt
In one use case, someone was trying to authorize with the REST server as a
proxy user. That mode is not supported today.
The curl request would be something like (assuming SPNEGO auth) -
{noformat}
curl -i --negotiate -u : http://HOST:PORT/version/cluster?doas=USER
{noformat}
--
This message was sent by Atlassian JIRA
(v6.1#6144)
[jira] [Commented] (HBASE-9866) Support the mode where REST server authorizes proxy users
[
https://issues.apache.org/jira/browse/HBASE-9866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13819736#comment-13819736
]
Hadoop QA commented on HBASE-9866:
--
{color:red}-1 overall{color}. Here are the results of testing the latest
attachment
http://issues.apache.org/jira/secure/attachment/12613238/9866-2.txt
against trunk revision .
{color:green}+1 @author{color}. The patch does not contain any @author
tags.
{color:red}-1 tests included{color}. The patch doesn't appear to include
any new or modified tests.
Please justify why no new tests are needed for this
patch.
Also please list what manual steps were performed to
verify this patch.
{color:green}+1 hadoop1.0{color}. The patch compiles against the hadoop
1.0 profile.
{color:green}+1 hadoop2.0{color}. The patch compiles against the hadoop
2.0 profile.
{color:red}-1 javadoc{color}. The javadoc tool appears to have generated 1
warning messages.
{color:green}+1 javac{color}. The applied patch does not increase the
total number of javac compiler warnings.
{color:green}+1 findbugs{color}. The patch does not introduce any new
Findbugs (version 1.3.9) warnings.
{color:green}+1 release audit{color}. The applied patch does not increase
the total number of release audit warnings.
{color:green}+1 lineLengths{color}. The patch does not introduce lines
longer than 100
{color:red}-1 site{color}. The patch appears to cause mvn site goal to
fail.
{color:red}-1 core tests{color}. The patch failed these unit tests:
{color:red}-1 core zombie tests{color}. There are 1 zombie test(s):
at
org.apache.hadoop.hbase.TestZooKeeper.testRegionAssignmentAfterMasterRecoveryDueToZKExpiry(TestZooKeeper.java:488)
Test results:
https://builds.apache.org/job/PreCommit-HBASE-Build/7816//testReport/
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/7816//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-prefix-tree.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/7816//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-client.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/7816//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-common.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/7816//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-protocol.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/7816//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-server.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/7816//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-hadoop1-compat.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/7816//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-examples.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/7816//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-thrift.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/7816//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-hadoop-compat.html
Console output:
https://builds.apache.org/job/PreCommit-HBASE-Build/7816//console
This message is automatically generated.
Support the mode where REST server authorizes proxy users
-
Key: HBASE-9866
URL: https://issues.apache.org/jira/browse/HBASE-9866
Project: HBase
Issue Type: Improvement
Reporter: Devaraj Das
Assignee: Devaraj Das
Fix For: 0.96.1
Attachments: 9866-1.txt, 9866-2.txt, 9866-3.txt, 9866-4.txt
In one use case, someone was trying to authorize with the REST server as a
proxy user. That mode is not supported today.
The curl request would be something like (assuming SPNEGO auth) -
{noformat}
curl -i --negotiate -u : http://HOST:PORT/version/cluster?doas=USER
{noformat}
--
This message was sent by Atlassian JIRA
(v6.1#6144)
[jira] [Commented] (HBASE-9866) Support the mode where REST server authorizes proxy users
[
https://issues.apache.org/jira/browse/HBASE-9866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13814046#comment-13814046
]
Francis Liu commented on HBASE-9866:
This will make auditing a bit hard since the real user is lost when it hits the
RS. Can we log a doAs message so we can trace back?
Given that we're adding doAs support in reset. It's prolly a good idea to
provide a way to refresh the ProxyUsers config without restarting the server.
BTW do the other webservices support doAs (hdfs's proxy, webhcat, etc)?
Support the mode where REST server authorizes proxy users
-
Key: HBASE-9866
URL: https://issues.apache.org/jira/browse/HBASE-9866
Project: HBase
Issue Type: Improvement
Reporter: Devaraj Das
Assignee: Devaraj Das
Fix For: 0.96.1
Attachments: 9866-1.txt
In one use case, someone was trying to authorize with the REST server as a
proxy user. That mode is not supported today.
The curl request would be something like (assuming SPNEGO auth) -
{noformat}
curl -i --negotiate -u : http://HOST:PORT/version/cluster?doas=USER
{noformat}
--
This message was sent by Atlassian JIRA
(v6.1#6144)
[jira] [Commented] (HBASE-9866) Support the mode where REST server authorizes proxy users
[
https://issues.apache.org/jira/browse/HBASE-9866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13814050#comment-13814050
]
Jimmy Xiang commented on HBASE-9866:
In case the REST server shares the same configuration with rs/master, can we
have a config and turn this feature off by default?
Support the mode where REST server authorizes proxy users
-
Key: HBASE-9866
URL: https://issues.apache.org/jira/browse/HBASE-9866
Project: HBase
Issue Type: Improvement
Reporter: Devaraj Das
Assignee: Devaraj Das
Fix For: 0.96.1
Attachments: 9866-1.txt
In one use case, someone was trying to authorize with the REST server as a
proxy user. That mode is not supported today.
The curl request would be something like (assuming SPNEGO auth) -
{noformat}
curl -i --negotiate -u : http://HOST:PORT/version/cluster?doas=USER
{noformat}
--
This message was sent by Atlassian JIRA
(v6.1#6144)
[jira] [Commented] (HBASE-9866) Support the mode where REST server authorizes proxy users
[
https://issues.apache.org/jira/browse/HBASE-9866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13814149#comment-13814149
]
Devaraj Das commented on HBASE-9866:
[~toffer], yes, services like webhcat supports doAs, but they have different
config knobs for configuring the groups/ip-addresses. Maybe they map these
configurations to the underlying Hadoop configurations internally.
[~jxiang], okay will add a configuration for turning this feature on/off...
Support the mode where REST server authorizes proxy users
-
Key: HBASE-9866
URL: https://issues.apache.org/jira/browse/HBASE-9866
Project: HBase
Issue Type: Improvement
Reporter: Devaraj Das
Assignee: Devaraj Das
Fix For: 0.96.1
Attachments: 9866-1.txt
In one use case, someone was trying to authorize with the REST server as a
proxy user. That mode is not supported today.
The curl request would be something like (assuming SPNEGO auth) -
{noformat}
curl -i --negotiate -u : http://HOST:PORT/version/cluster?doas=USER
{noformat}
--
This message was sent by Atlassian JIRA
(v6.1#6144)
[jira] [Commented] (HBASE-9866) Support the mode where REST server authorizes proxy users
[
https://issues.apache.org/jira/browse/HBASE-9866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13813365#comment-13813365
]
Devaraj Das commented on HBASE-9866:
Definitely, we need to be careful about configuring things with the potential
security holes in mind. Also, one can choose to disable this by not configuring
the proxy user settings for the REST server. Right?
Support the mode where REST server authorizes proxy users
-
Key: HBASE-9866
URL: https://issues.apache.org/jira/browse/HBASE-9866
Project: HBase
Issue Type: Improvement
Reporter: Devaraj Das
Assignee: Devaraj Das
Fix For: 0.96.1
Attachments: 9866-1.txt
In one use case, someone was trying to authorize with the REST server as a
proxy user. That mode is not supported today.
The curl request would be something like (assuming SPNEGO auth) -
{noformat}
curl -i --negotiate -u : http://HOST:PORT/version/cluster?doas=USER
{noformat}
--
This message was sent by Atlassian JIRA
(v6.1#6144)
[jira] [Commented] (HBASE-9866) Support the mode where REST server authorizes proxy users
[
https://issues.apache.org/jira/browse/HBASE-9866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13812064#comment-13812064
]
Jimmy Xiang commented on HBASE-9866:
I saw that. It is something like user A is allowed to do something on behalf of
user B, now let user C to do it on behalf of user B instead, if allowed. If A
== C and they share the same configuration, it may be fine. Now, A could be
different from C. Even they are the same, the configuration could be different
since one is the REST server (i,e, HBase client side), the other is on the
HBase server (master/rs) side.
Support the mode where REST server authorizes proxy users
-
Key: HBASE-9866
URL: https://issues.apache.org/jira/browse/HBASE-9866
Project: HBase
Issue Type: Improvement
Reporter: Devaraj Das
Assignee: Devaraj Das
Fix For: 0.96.1
Attachments: 9866-1.txt
In one use case, someone was trying to authorize with the REST server as a
proxy user. That mode is not supported today.
The curl request would be something like (assuming SPNEGO auth) -
{noformat}
curl -i --negotiate -u : http://HOST:PORT/version/cluster?doas=USER
{noformat}
--
This message was sent by Atlassian JIRA
(v6.1#6144)
[jira] [Commented] (HBASE-9866) Support the mode where REST server authorizes proxy users
[
https://issues.apache.org/jira/browse/HBASE-9866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13811471#comment-13811471
]
Jimmy Xiang commented on HBASE-9866:
bq. + Lock lock = locker.acquireLock(effectiveUser.get().getUserName());
Are we sure effectiveUser is always set even when SPENGO/security is not
enabled?
bq. final String doAsUserFromQuery = request.getParameter(doas);
Should we use parameter doAs?
Can we make sure there is no javadoc/findbugs warnings?
Another thing is that we have two proxy users. One is the user authenticated
with SPENGO. The other is the real user. We switch the proxy user in the
middle. Is this a security concern?
I was wondering if Knox should talks to HBase directly as a proxy, instead of
going through REST server as another level proxying?
[~toffer], any comments?
Support the mode where REST server authorizes proxy users
-
Key: HBASE-9866
URL: https://issues.apache.org/jira/browse/HBASE-9866
Project: HBase
Issue Type: Improvement
Reporter: Devaraj Das
Assignee: Devaraj Das
Fix For: 0.96.1
Attachments: 9866-1.txt
In one use case, someone was trying to authorize with the REST server as a
proxy user. That mode is not supported today.
The curl request would be something like (assuming SPNEGO auth) -
{noformat}
curl -i --negotiate -u : http://HOST:PORT/version/cluster?doas=USER
{noformat}
--
This message was sent by Atlassian JIRA
(v6.1#6144)
[jira] [Commented] (HBASE-9866) Support the mode where REST server authorizes proxy users
[
https://issues.apache.org/jira/browse/HBASE-9866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13811674#comment-13811674
]
Dilli Arumugam commented on HBASE-9866:
---
Knox talks only REST to Hadoop services.
Knox unified and secure REST endpoint to its client, for all downstream REST
end points of Hadoop services.
Support the mode where REST server authorizes proxy users
-
Key: HBASE-9866
URL: https://issues.apache.org/jira/browse/HBASE-9866
Project: HBase
Issue Type: Improvement
Reporter: Devaraj Das
Assignee: Devaraj Das
Fix For: 0.96.1
Attachments: 9866-1.txt
In one use case, someone was trying to authorize with the REST server as a
proxy user. That mode is not supported today.
The curl request would be something like (assuming SPNEGO auth) -
{noformat}
curl -i --negotiate -u : http://HOST:PORT/version/cluster?doas=USER
{noformat}
--
This message was sent by Atlassian JIRA
(v6.1#6144)
[jira] [Commented] (HBASE-9866) Support the mode where REST server authorizes proxy users
[
https://issues.apache.org/jira/browse/HBASE-9866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13811801#comment-13811801
]
Devaraj Das commented on HBASE-9866:
bq. Are we sure effectiveUser is always set even when SPENGO/security is not
enabled?
Yes. The constructor of RESTServlet initializes the realUser which is the
initial value of effectiveUser.
bq. Should we use parameter doAs?
I'll update this..
bq. Can we make sure there is no javadoc/findbugs warnings?
Yes. I'll look at this..
bq. Another thing is that we have two proxy users. One is the user
authenticated with SPENGO. The other is the real user. We switch the proxy user
in the middle. Is this a security concern?
We have proxy user authorization check before the switch is made.
{code}ProxyUsers.authorize(ugi, request.getRemoteAddr(), conf);{code}. The
proxy user authorization check will fail unless the user making the REST call
is authorized to perform the doAs on behalf of the configured group and he is
coming from a known IP address. No new security concern here ..
Support the mode where REST server authorizes proxy users
-
Key: HBASE-9866
URL: https://issues.apache.org/jira/browse/HBASE-9866
Project: HBase
Issue Type: Improvement
Reporter: Devaraj Das
Assignee: Devaraj Das
Fix For: 0.96.1
Attachments: 9866-1.txt
In one use case, someone was trying to authorize with the REST server as a
proxy user. That mode is not supported today.
The curl request would be something like (assuming SPNEGO auth) -
{noformat}
curl -i --negotiate -u : http://HOST:PORT/version/cluster?doas=USER
{noformat}
--
This message was sent by Atlassian JIRA
(v6.1#6144)
[jira] [Commented] (HBASE-9866) Support the mode where REST server authorizes proxy users
[
https://issues.apache.org/jira/browse/HBASE-9866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13810395#comment-13810395
]
Jimmy Xiang commented on HBASE-9866:
Why do we need this? REST server does support proxy users. You should use -u
to specify the user, right?
curl -i --negotiate -u USER/DOMAIN http://HOST:PORT/version/cluster
Support the mode where REST server authorizes proxy users
-
Key: HBASE-9866
URL: https://issues.apache.org/jira/browse/HBASE-9866
Project: HBase
Issue Type: Improvement
Reporter: Devaraj Das
Assignee: Devaraj Das
Fix For: 0.96.1
Attachments: 9866-1.txt
In one use case, someone was trying to authorize with the REST server as a
proxy user. That mode is not supported today.
The curl request would be something like (assuming SPNEGO auth) -
{noformat}
curl -i --negotiate -u : http://HOST:PORT/version/cluster?doas=USER
{noformat}
--
This message was sent by Atlassian JIRA
(v6.1#6144)
[jira] [Commented] (HBASE-9866) Support the mode where REST server authorizes proxy users
[
https://issues.apache.org/jira/browse/HBASE-9866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13810500#comment-13810500
]
Devaraj Das commented on HBASE-9866:
I see. Let me check that aspect then.
Support the mode where REST server authorizes proxy users
-
Key: HBASE-9866
URL: https://issues.apache.org/jira/browse/HBASE-9866
Project: HBase
Issue Type: Improvement
Reporter: Devaraj Das
Assignee: Devaraj Das
Fix For: 0.96.1
Attachments: 9866-1.txt
In one use case, someone was trying to authorize with the REST server as a
proxy user. That mode is not supported today.
The curl request would be something like (assuming SPNEGO auth) -
{noformat}
curl -i --negotiate -u : http://HOST:PORT/version/cluster?doas=USER
{noformat}
--
This message was sent by Atlassian JIRA
(v6.1#6144)
[jira] [Commented] (HBASE-9866) Support the mode where REST server authorizes proxy users
[
https://issues.apache.org/jira/browse/HBASE-9866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13810773#comment-13810773
]
Dilli Arumugam commented on HBASE-9866:
---
In response to Question from Jimmy
Why do we need this? REST server does support proxy users. You should use -u to
specify the user, right?
curl -i --negotiate -u USER/DOMAIN http://HOST:PORT/version/cluster
We need this for Apache Knox.
Apache Knox provides perimeter security.
The flow would be
Rest Client - Knox - HBase Rest Gateway
Knox authenticates its Rest client using Http Basic.
Knox itself authenticates to HBase Rest Gateway using SPNego.
Then, Knox proxies for the end user.
So, HBase Rest gateway should allow Knox to pass doAs parameter with the value
of end user identity.
Support the mode where REST server authorizes proxy users
-
Key: HBASE-9866
URL: https://issues.apache.org/jira/browse/HBASE-9866
Project: HBase
Issue Type: Improvement
Reporter: Devaraj Das
Assignee: Devaraj Das
Fix For: 0.96.1
Attachments: 9866-1.txt
In one use case, someone was trying to authorize with the REST server as a
proxy user. That mode is not supported today.
The curl request would be something like (assuming SPNEGO auth) -
{noformat}
curl -i --negotiate -u : http://HOST:PORT/version/cluster?doas=USER
{noformat}
--
This message was sent by Atlassian JIRA
(v6.1#6144)
[jira] [Commented] (HBASE-9866) Support the mode where REST server authorizes proxy users
[
https://issues.apache.org/jira/browse/HBASE-9866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13810808#comment-13810808
]
Dilli Arumugam commented on HBASE-9866:
---
In the context of curl usage
curl -i --negotiate -u USER/DOMAIN http://HOST:PORT/version/cluster
As far as I know and tested, the usage is
curl -i --negotiate -u : http://HOST:PORT/version/cluster
Value of option -u is ignored.
The identity of the caller is established based on the kerberos ticket in
ticket cache.
Kerberos ticket would have been populated by a call to kinit.
In the context of Knox usage, the caller identity established by kerberos
ticket is that of knox. Knox has to tell HBase Rest gateway that the call is
made on behalf of specific end user. That end user identity has to go in as
doAs query parameter value. That is how it happens for WebHDFS, Oozie and
WebHCat calls from Knox.
Support the mode where REST server authorizes proxy users
-
Key: HBASE-9866
URL: https://issues.apache.org/jira/browse/HBASE-9866
Project: HBase
Issue Type: Improvement
Reporter: Devaraj Das
Assignee: Devaraj Das
Fix For: 0.96.1
Attachments: 9866-1.txt
In one use case, someone was trying to authorize with the REST server as a
proxy user. That mode is not supported today.
The curl request would be something like (assuming SPNEGO auth) -
{noformat}
curl -i --negotiate -u : http://HOST:PORT/version/cluster?doas=USER
{noformat}
--
This message was sent by Atlassian JIRA
(v6.1#6144)
[jira] [Commented] (HBASE-9866) Support the mode where REST server authorizes proxy users
[
https://issues.apache.org/jira/browse/HBASE-9866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13810823#comment-13810823
]
Jimmy Xiang commented on HBASE-9866:
Makes sense.
Support the mode where REST server authorizes proxy users
-
Key: HBASE-9866
URL: https://issues.apache.org/jira/browse/HBASE-9866
Project: HBase
Issue Type: Improvement
Reporter: Devaraj Das
Assignee: Devaraj Das
Fix For: 0.96.1
Attachments: 9866-1.txt
In one use case, someone was trying to authorize with the REST server as a
proxy user. That mode is not supported today.
The curl request would be something like (assuming SPNEGO auth) -
{noformat}
curl -i --negotiate -u : http://HOST:PORT/version/cluster?doas=USER
{noformat}
--
This message was sent by Atlassian JIRA
(v6.1#6144)
[jira] [Commented] (HBASE-9866) Support the mode where REST server authorizes proxy users
[
https://issues.apache.org/jira/browse/HBASE-9866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13810951#comment-13810951
]
Hadoop QA commented on HBASE-9866:
--
{color:red}-1 overall{color}. Here are the results of testing the latest
attachment
http://issues.apache.org/jira/secure/attachment/12611231/9866-1.txt
against trunk revision .
{color:green}+1 @author{color}. The patch does not contain any @author
tags.
{color:red}-1 tests included{color}. The patch doesn't appear to include
any new or modified tests.
Please justify why no new tests are needed for this
patch.
Also please list what manual steps were performed to
verify this patch.
{color:green}+1 hadoop1.0{color}. The patch compiles against the hadoop
1.0 profile.
{color:green}+1 hadoop2.0{color}. The patch compiles against the hadoop
2.0 profile.
{color:red}-1 javadoc{color}. The javadoc tool appears to have generated 1
warning messages.
{color:green}+1 javac{color}. The applied patch does not increase the
total number of javac compiler warnings.
{color:red}-1 findbugs{color}. The patch appears to introduce 1 new
Findbugs (version 1.3.9) warnings.
{color:green}+1 release audit{color}. The applied patch does not increase
the total number of release audit warnings.
{color:green}+1 lineLengths{color}. The patch does not introduce lines
longer than 100
{color:red}-1 site{color}. The patch appears to cause mvn site goal to
fail.
{color:green}+1 core tests{color}. The patch passed unit tests in .
Test results:
https://builds.apache.org/job/PreCommit-HBASE-Build/7696//testReport/
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/7696//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-prefix-tree.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/7696//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-client.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/7696//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-common.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/7696//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-protocol.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/7696//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-server.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/7696//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-hadoop1-compat.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/7696//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-examples.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/7696//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-thrift.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/7696//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-hadoop-compat.html
Console output:
https://builds.apache.org/job/PreCommit-HBASE-Build/7696//console
This message is automatically generated.
Support the mode where REST server authorizes proxy users
-
Key: HBASE-9866
URL: https://issues.apache.org/jira/browse/HBASE-9866
Project: HBase
Issue Type: Improvement
Reporter: Devaraj Das
Assignee: Devaraj Das
Fix For: 0.96.1
Attachments: 9866-1.txt
In one use case, someone was trying to authorize with the REST server as a
proxy user. That mode is not supported today.
The curl request would be something like (assuming SPNEGO auth) -
{noformat}
curl -i --negotiate -u : http://HOST:PORT/version/cluster?doas=USER
{noformat}
--
This message was sent by Atlassian JIRA
(v6.1#6144)
