Uploaded image for project: 'CDAP'
  1. CDAP
  2. CDAP-9005

HBaseQueueDebugger fails in case of authorization

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 4.1.0, 3.5.4, 4.0.1
    • Fix Version/s: 3.5.5, 4.1.1, 4.0.2
    • Component/s: Security, Tools
    • Labels:
    • Release Notes:
      Fixed an issue where the HBase Queue Debugging Tool failed when authorization was enabled.
    • Rank:
      1|hzzxx3:

      Description

      Upon running the HBaseQueueDebugger, the following error can be hit in case the cdap master principal isn't authorized for READ in other namespaces.
      We hit it because even though we disable authorization in the queue debugger tool itself, the tool interacts with the CDAP instance that is running separate from the tool, and so the auth enforcement is still happening in CDAP.

      <DATE> <TIMESTAMP> - WARN  [main:o.a.h.s.UserGroupInformation@1726] - PriviledgedActionException as:<PRINCIPAL>@<REALM> (auth:KERBEROS) cause:co.cask.cdap.api.dataset     .DatasetManagementException: Cannot retrieve dataset instance system.queue info, details: Response code: 403, message: 'Forbidden', body: 'Principal 'Principal{name='<PRINCIPAL>', type=USER}' does not have privileges to access entity 'dataset:<NAMESPACE>.system.queue''
      Exception in thread "main" co.cask.cdap.api.dataset.DatasetManagementException: Cannot retrieve dataset instance system.queue info, details: Response code: 403, message: 'Forbidden', body: 'Principal 'Principal{name='<PRINCIPAL>', type=USER}' does not have privileges to access entity 'dataset:<NAMESPACE>.system.queue''
              at co.cask.cdap.data2.datafabric.dataset.DatasetServiceClient.getInstance(DatasetServiceClient.java:139)
              at co.cask.cdap.data2.datafabric.dataset.RemoteDatasetFramework.getDataset(RemoteDatasetFramework.java:239)
              at co.cask.cdap.data2.dataset2.ForwardingDatasetFramework.getDataset(ForwardingDatasetFramework.java:160)
              at co.cask.cdap.data2.metadata.writer.LineageWriterDatasetFramework.access$101(LineageWriterDatasetFramework.java:55)
              at co.cask.cdap.data2.metadata.writer.LineageWriterDatasetFramework$2.call(LineageWriterDatasetFramework.java:172)
              at co.cask.cdap.data2.metadata.writer.LineageWriterDatasetFramework$2.call(LineageWriterDatasetFramework.java:169)
              at co.cask.cdap.data2.dataset2.DefaultDatasetRuntimeContext.execute(DefaultDatasetRuntimeContext.java:121)
              at co.cask.cdap.data2.metadata.writer.LineageWriterDatasetFramework.getDataset(LineageWriterDatasetFramework.java:167)
              at co.cask.cdap.data2.metadata.writer.LineageWriterDatasetFramework.getDataset(LineageWriterDatasetFramework.java:140)
              at co.cask.cdap.data2.transaction.queue.hbase.HBaseQueueAdmin.getConsumerStateStore(HBaseQueueAdmin.java:286)
              at co.cask.cdap.data.tools.HBaseQueueDebugger.scanQueue(HBaseQueueDebugger.java:217)
              at co.cask.cdap.data.tools.HBaseQueueDebugger$1.call(HBaseQueueDebugger.java:195)
              at co.cask.cdap.data.tools.HBaseQueueDebugger$1.call(HBaseQueueDebugger.java:177)
              at co.cask.cdap.common.security.ImpersonationUtils$1.run(ImpersonationUtils.java:46)
              at java.security.AccessController.doPrivileged(Native Method)
              at javax.security.auth.Subject.doAs(Subject.java:422)
              at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1723)
              at co.cask.cdap.common.security.ImpersonationUtils.doAs(ImpersonationUtils.java:43)
              at co.cask.cdap.common.security.DefaultImpersonator.doAs(DefaultImpersonator.java:64)
              at co.cask.cdap.data.tools.HBaseQueueDebugger.scanAllQueues(HBaseQueueDebugger.java:177)
              at co.cask.cdap.data.tools.HBaseQueueDebugger.main(HBaseQueueDebugger.java:563)
              at co.cask.cdap.data.tools.SimpleHBaseQueueDebugger.main(SimpleHBaseQueueDebugger.java:34)
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                ali.anwar Ali Anwar
                Reporter:
                ali.anwar Ali Anwar
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: