Gary Helmling created HBASE-17827: ------------------------------------- Summary: Client tools relying on AuthUtil.getAuthChore() break credential cache login Key: HBASE-17827 URL: https://issues.apache.org/jira/browse/HBASE-17827 Project: HBase Issue Type: Bug Components: canary, security Reporter: Gary Helmling Assignee: Gary Helmling
Client tools, such as Canary, which make use of keytab based logins with AuthUtil.getAuthChore() do not allow any way to continue without a keytab-based login when security is enabled. Currently, when security is enabled and the configuration lacks {{hbase.client.keytab.file}}, these tools would fail with: {noformat} ERROR hbase.AuthUtil: Error while trying to perform the initial login: Running in secure mode, but config doesn't have a keytab java.io.IOException: Running in secure mode, but config doesn't have a keytab at org.apache.hadoop.security.SecurityUtil.login(SecurityUtil.java:239) at org.apache.hadoop.hbase.security.User$SecureHadoopUser.login(User.java:420) at org.apache.hadoop.hbase.security.User.login(User.java:258) at org.apache.hadoop.hbase.security.UserProvider.login(UserProvider.java:197) at org.apache.hadoop.hbase.AuthUtil.getAuthChore(AuthUtil.java:98) at org.apache.hadoop.hbase.tool.Canary.run(Canary.java:589) at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:70) at org.apache.hadoop.hbase.tool.Canary.main(Canary.java:1327) Exception in thread "main" java.io.IOException: Running in secure mode, but config doesn't have a keytab at org.apache.hadoop.security.SecurityUtil.login(SecurityUtil.java:239) at org.apache.hadoop.hbase.security.User$SecureHadoopUser.login(User.java:420) at org.apache.hadoop.hbase.security.User.login(User.java:258) at org.apache.hadoop.hbase.security.UserProvider.login(UserProvider.java:197) at org.apache.hadoop.hbase.AuthUtil.getAuthChore(AuthUtil.java:98) at org.apache.hadoop.hbase.tool.Canary.run(Canary.java:589) at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:70) at org.apache.hadoop.hbase.tool.Canary.main(Canary.java:1327) {noformat} These tools should still work with the default credential-cache login, at least when a client keytab is not configured. -- This message was sent by Atlassian JIRA (v6.3.15#6346)