[jira] [Commented] (ACCUMULO-3568) du shell command uses ServerClient incorrectly
[
https://issues.apache.org/jira/browse/ACCUMULO-3568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14314787#comment-14314787
]
Josh Elser commented on ACCUMULO-3568:
--
Hrm. I forgot what ServerClient was I think. Somehow it's still using the wrong
credentials with Kerberos on.
> du shell command uses ServerClient incorrectly
> --
>
> Key: ACCUMULO-3568
> URL: https://issues.apache.org/jira/browse/ACCUMULO-3568
> Project: Accumulo
> Issue Type: Bug
> Components: shell
> Environment: kerberos
>Reporter: Josh Elser
>Assignee: Josh Elser
>Priority: Critical
> Fix For: 1.7.0
>
>
> {{TableOperationsImpl.getDiskUsage}} uses the {{ServerClient}} class which is
> meant for Accumulo services to use to communicate with each other. This
> results in the authentication performed for this method being performed
> (incorrectly) as the system instead of the client.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (ACCUMULO-3568) du shell command uses ServerClient incorrectly
[
https://issues.apache.org/jira/browse/ACCUMULO-3568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14315121#comment-14315121
]
Josh Elser commented on ACCUMULO-3568:
--
Finally tracked down some more information:
{panel:title=TabletServer.log}
{noformat}
2015-02-10 17:46:51,081 [rpc.UGIAssumingProcessor] [ClientPool 180] TRACE:
Setting remoteUser=jel...@example.com
2015-02-10 17:46:51,082 [rpc.TCredentialsUpdatingInvocationHandler] [ClientPool
180] TRACE: Principal from RPC=jel...@example.com, args=[[ci],
TCredentials(principal:jel...@example.com,
tokenClassName:org.apache.accumulo.core.client.security.tokens.KerberosToken,
token:00 00 00 01, instanceId:6d25daec-07ac-4885-b7a1-4e95c89072b1)]
2015-02-10 17:46:51,086 [rpc.UGIAssumingProcessor] [ClientPool 181] TRACE:
Setting remoteUser=accumulo/hostn...@example.com
2015-02-10 17:46:51,086 [rpc.TCredentialsUpdatingInvocationHandler] [ClientPool
181] TRACE: Principal from RPC=accumulo/hostn...@example.com,
args=[TInfo(traceId:0, parentId:0), TCredentials(principal:jel...@example.com,
tokenClassName:org.apache.accumulo.core.client.security.tokens.KerberosToken,
token:00 00 00 01, instanceId:6d25daec-07ac-4885-b7a1-4e95c89072b1)]
2015-02-10 17:46:51,086 [rpc.TCredentialsUpdatingInvocationHandler] [ClientPool
181] WARN : Principal in credentials object should match kerberos principal.
Expected 'accumulo/hostn...@example.com' but was 'jel...@example.com'
{noformat}
{panel}
The first RPC (as myself in the principal) is for the table existence check
done in {{DUCommand}}. The 2nd call is the problematic one, where the wrong
principal is being extracted from the RPC transport. Still unsure about how
that is happening.
> du shell command uses ServerClient incorrectly
> --
>
> Key: ACCUMULO-3568
> URL: https://issues.apache.org/jira/browse/ACCUMULO-3568
> Project: Accumulo
> Issue Type: Bug
> Components: shell
> Environment: kerberos
>Reporter: Josh Elser
>Assignee: Josh Elser
>Priority: Critical
> Fix For: 1.7.0
>
>
> {{TableOperationsImpl.getDiskUsage}} uses the {{ServerClient}} class which is
> meant for Accumulo services to use to communicate with each other. This
> results in the authentication performed for this method being performed
> (incorrectly) as the system instead of the client.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (ACCUMULO-3568) du shell command uses ServerClient incorrectly
[
https://issues.apache.org/jira/browse/ACCUMULO-3568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14315304#comment-14315304
]
Josh Elser commented on ACCUMULO-3568:
--
After much cursing, finally figured it out. The problem was not the client
doing something bad, but the server *using* the clients credentials instead of
its own.
{code}
@Override
public List getDiskUsage(Set tables, TCredentials
credentials) throws ThriftTableOperationException, ThriftSecurityException,
TException {
try {
final Credentials creds = Credentials.fromThrift(credentials);
Connector conn = instance.getConnector(creds.getPrincipal(),
creds.getToken());
{code}
That explains why I couldn't figure out what was seemingly different on the
client side -- it was nothing. The server should be using its own connector and
enforcing proper permissions to keep users from {{du}}'ing tables which they
have no access to.
> du shell command uses ServerClient incorrectly
> --
>
> Key: ACCUMULO-3568
> URL: https://issues.apache.org/jira/browse/ACCUMULO-3568
> Project: Accumulo
> Issue Type: Bug
> Components: shell
> Environment: kerberos
>Reporter: Josh Elser
>Assignee: Josh Elser
>Priority: Critical
> Fix For: 1.7.0
>
>
> {{TableOperationsImpl.getDiskUsage}} uses the {{ServerClient}} class which is
> meant for Accumulo services to use to communicate with each other. This
> results in the authentication performed for this method being performed
> (incorrectly) as the system instead of the client.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
