We're updating the issue view to help you get more done. 

HBaseAdmin shouldn't be reused across different UGI

Description

The HBaseAdmin has a connection inside that contains the current UGI at the creation time. Reusing will break impersonation, because now Flow's HBase operations may be using the wrong UGI, which may not have privileges on the appropriate namespace (not should the incorrect user be used to create the HBase tables).

Release Notes

Fixed an issue that allows impersonation in flows to work correctly, by not re-using HBaseAdmin across different UGI.

Activity

Show:
Terence Yim
October 5, 2016, 7:32 PM
Edited
Ali Anwar
October 5, 2016, 8:07 PM

Additionally, we renew the Kerberos login for the master principal, but not for any impersonated principal's UGIs. Because of that, if the first HBaseAdmin is created for an impersonated namespace, that UGI's kerberos credentials will not be renewed/updated. After some time, it will expire and I believe that is the reason that this error log can be seen upon any Flow's HBase operation:

Terence Yim
October 17, 2016, 11:27 PM

Reopen as it hasn't port back to 4.0

Sagar Kapare
November 2, 2016, 9:26 PM

Fix is ported to 3.6 and develop. Marking the JIRA as resolved.

Fixed

Assignee

Terence Yim

Reporter

Terence Yim

Labels

Docs Impact

None

UX Impact

None

Components

Fix versions

Affects versions

Priority

Blocker
Configure