hbase
hbase copied to clipboard
apache
HBASE-26553 OAuth Bearer authentication mech plugin for SASL
Adds a new SASL mech plugin for OAuthBearer (JWT) authentication.
- In order to keep the size of this initial patch manageable, the supported workflow is limited: client reads a single JWT token with expiry information from environment variable and authenticates with the server.
- It works similarly to Hadoop delegation tokens, JWT token takes precedence, but if it's missing, the auth provider will fall back to Kerberos.
- Kerberos must be enabled on the cluster, otherwise HBase security is not enabled.
Minimum configuration to enable JWT auth:
Server side:
<property>
<name>hbase.server.sasl.provider.extras</name>
<value>org.apache.hadoop.hbase.security.provider.OAuthBearerSaslServerAuthenticationProvider</value>
</property>
<property>
<name>hbase.security.oauth.jwt.jwks.url</name>
<value>JWKS download url</value>
</property>
Client side:
<property>
<name>hbase.client.sasl.provider.extras</name>
<value>org.apache.hadoop.hbase.security.provider.OAuthBearerSaslClientAuthenticationProvider</value>
</property>
<property>
<name>hbase.client.sasl.provider.class</name>
<value>org.apache.hadoop.hbase.security.provider.OAuthBearerSaslProviderSelector</value>
</property>
The client also has to be in possession of a valid JWT token which must set via environment variable:
export HBASE_JWT="<base64 encoded token>,<expiry>"
cc @petersomogyi @meszibalu @joshelser @bbeaudreault @Apache9
:broken_heart: -1 overall
| Vote | Subsystem | Runtime | Comment |
|---|---|---|---|
| +0 :ok: | reexec | 1m 2s | Docker mode activated. |
| _ Prechecks _ | |||
| +1 :green_heart: | dupname | 0m 0s | No case conflicting files found. |
| +1 :green_heart: | hbaseanti | 0m 0s | Patch does not have any anti-patterns. |
| +1 :green_heart: | @author | 0m 0s | The patch does not contain any @author tags. |
| _ master Compile Tests _ | |||
| +0 :ok: | mvndep | 0m 18s | Maven dependency ordering for branch |
| +1 :green_heart: | mvninstall | 2m 24s | master passed |
| +1 :green_heart: | compile | 6m 12s | master passed |
| +1 :green_heart: | checkstyle | 1m 1s | master passed |
| +1 :green_heart: | spotless | 0m 41s | branch has no errors when running spotless:check. |
| +1 :green_heart: | spotbugs | 10m 25s | master passed |
| _ Patch Compile Tests _ | |||
| +0 :ok: | mvndep | 0m 16s | Maven dependency ordering for patch |
| +1 :green_heart: | mvninstall | 2m 13s | the patch passed |
| +1 :green_heart: | compile | 6m 11s | the patch passed |
| -0 :warning: | javac | 6m 11s | root generated 3 new + 707 unchanged - 0 fixed = 710 total (was 707) |
| -0 :warning: | checkstyle | 1m 0s | root: The patch generated 6 new + 0 unchanged - 0 fixed = 6 total (was 0) |
| +1 :green_heart: | whitespace | 0m 0s | The patch has no whitespace issues. |
| +1 :green_heart: | xml | 0m 1s | The patch has no ill-formed XML file. |
| +1 :green_heart: | hadoopcheck | 8m 0s | Patch does not cause any errors with Hadoop 3.2.4 3.3.4. |
| -1 :x: | spotless | 0m 12s | patch has 71 errors when running spotless:check, run spotless:apply to fix. |
| +1 :green_heart: | spotbugs | 10m 51s | the patch passed |
| _ Other Tests _ | |||
| +1 :green_heart: | asflicense | 0m 58s | The patch does not generate ASF License warnings. |
| 58m 2s |
| Subsystem | Report/Notes |
|---|---|
| Docker | ClientAPI=1.41 ServerAPI=1.41 base: https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-4733/1/artifact/yetus-general-check/output/Dockerfile |
| GITHUB PR | https://github.com/apache/hbase/pull/4733 |
| Optional Tests | dupname asflicense javac spotbugs hadoopcheck hbaseanti spotless checkstyle compile xml |
| uname | Linux 6546613b29b7 5.4.0-124-generic #140-Ubuntu SMP Thu Aug 4 02:23:37 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux |
| Build tool | maven |
| Personality | dev-support/hbase-personality.sh |
| git revision | master / 06728e554c |
| Default Java | AdoptOpenJDK-1.8.0_282-b08 |
| javac | https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-4733/1/artifact/yetus-general-check/output/diff-compile-javac-root.txt |
| checkstyle | https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-4733/1/artifact/yetus-general-check/output/diff-checkstyle-root.txt |
| spotless | https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-4733/1/artifact/yetus-general-check/output/patch-spotless.txt |
| Max. process+thread count | 138 (vs. ulimit of 30000) |
| modules | C: hbase-common hbase-client hbase-resource-bundle hbase-server hbase-examples . U: . |
| Console output | https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-4733/1/console |
| versions | git=2.17.1 maven=3.6.3 spotbugs=4.2.2 |
| Powered by | Apache Yetus 0.12.0 https://yetus.apache.org |
This message was automatically generated.
:broken_heart: -1 overall
| Vote | Subsystem | Runtime | Comment |
|---|---|---|---|
| +0 :ok: | reexec | 0m 53s | Docker mode activated. |
| -0 :warning: | yetus | 0m 3s | Unprocessed flag(s): --brief-report-file --spotbugs-strict-precheck --whitespace-eol-ignore-list --whitespace-tabs-ignore-list --quick-hadoopcheck |
| _ Prechecks _ | |||
| _ master Compile Tests _ | |||
| +0 :ok: | mvndep | 0m 21s | Maven dependency ordering for branch |
| +1 :green_heart: | mvninstall | 2m 41s | master passed |
| +1 :green_heart: | compile | 1m 43s | master passed |
| +1 :green_heart: | shadedjars | 3m 58s | branch has no errors when building our shaded downstream artifacts. |
| +1 :green_heart: | javadoc | 2m 54s | master passed |
| _ Patch Compile Tests _ | |||
| +0 :ok: | mvndep | 0m 14s | Maven dependency ordering for patch |
| +1 :green_heart: | mvninstall | 2m 31s | the patch passed |
| +1 :green_heart: | compile | 1m 43s | the patch passed |
| +1 :green_heart: | javac | 1m 43s | the patch passed |
| +1 :green_heart: | shadedjars | 3m 54s | patch has no errors when building our shaded downstream artifacts. |
| +1 :green_heart: | javadoc | 2m 55s | the patch passed |
| _ Other Tests _ | |||
| -1 :x: | unit | 213m 42s | root in the patch failed. |
| 239m 30s |
| Subsystem | Report/Notes |
|---|---|
| Docker | ClientAPI=1.41 ServerAPI=1.41 base: https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-4733/1/artifact/yetus-jdk11-hadoop3-check/output/Dockerfile |
| GITHUB PR | https://github.com/apache/hbase/pull/4733 |
| Optional Tests | javac javadoc unit shadedjars compile |
| uname | Linux 5c8a411d2553 5.4.0-1081-aws #88~18.04.1-Ubuntu SMP Thu Jun 23 16:29:17 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux |
| Build tool | maven |
| Personality | dev-support/hbase-personality.sh |
| git revision | master / 06728e554c |
| Default Java | AdoptOpenJDK-11.0.10+9 |
| unit | https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-4733/1/artifact/yetus-jdk11-hadoop3-check/output/patch-unit-root.txt |
| Test Results | https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-4733/1/testReport/ |
| Max. process+thread count | 2599 (vs. ulimit of 30000) |
| modules | C: hbase-common hbase-client hbase-resource-bundle hbase-server hbase-examples . U: . |
| Console output | https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-4733/1/console |
| versions | git=2.17.1 maven=3.6.3 |
| Powered by | Apache Yetus 0.12.0 https://yetus.apache.org |
This message was automatically generated.
:confetti_ball: +1 overall
| Vote | Subsystem | Runtime | Comment |
|---|---|---|---|
| +0 :ok: | reexec | 1m 56s | Docker mode activated. |
| -0 :warning: | yetus | 0m 3s | Unprocessed flag(s): --brief-report-file --spotbugs-strict-precheck --whitespace-eol-ignore-list --whitespace-tabs-ignore-list --quick-hadoopcheck |
| _ Prechecks _ | |||
| _ master Compile Tests _ | |||
| +0 :ok: | mvndep | 0m 26s | Maven dependency ordering for branch |
| +1 :green_heart: | mvninstall | 3m 7s | master passed |
| +1 :green_heart: | compile | 2m 2s | master passed |
| +1 :green_heart: | shadedjars | 5m 38s | branch has no errors when building our shaded downstream artifacts. |
| +1 :green_heart: | javadoc | 3m 24s | master passed |
| _ Patch Compile Tests _ | |||
| +0 :ok: | mvndep | 0m 15s | Maven dependency ordering for patch |
| +1 :green_heart: | mvninstall | 2m 59s | the patch passed |
| +1 :green_heart: | compile | 2m 12s | the patch passed |
| +1 :green_heart: | javac | 2m 12s | the patch passed |
| +1 :green_heart: | shadedjars | 5m 38s | patch has no errors when building our shaded downstream artifacts. |
| +1 :green_heart: | javadoc | 3m 42s | the patch passed |
| _ Other Tests _ | |||
| +1 :green_heart: | unit | 408m 38s | root in the patch passed. |
| 442m 55s |
| Subsystem | Report/Notes |
|---|---|
| Docker | ClientAPI=1.41 ServerAPI=1.41 base: https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-4733/1/artifact/yetus-jdk8-hadoop3-check/output/Dockerfile |
| GITHUB PR | https://github.com/apache/hbase/pull/4733 |
| Optional Tests | javac javadoc unit shadedjars compile |
| uname | Linux 7c2a7e7144fd 5.4.0-1081-aws #88~18.04.1-Ubuntu SMP Thu Jun 23 16:29:17 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux |
| Build tool | maven |
| Personality | dev-support/hbase-personality.sh |
| git revision | master / 06728e554c |
| Default Java | AdoptOpenJDK-1.8.0_282-b08 |
| Test Results | https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-4733/1/testReport/ |
| Max. process+thread count | 4855 (vs. ulimit of 30000) |
| modules | C: hbase-common hbase-client hbase-resource-bundle hbase-server hbase-examples . U: . |
| Console output | https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-4733/1/console |
| versions | git=2.17.1 maven=3.6.3 |
| Powered by | Apache Yetus 0.12.0 https://yetus.apache.org |
This message was automatically generated.
:confetti_ball: +1 overall
| Vote | Subsystem | Runtime | Comment |
|---|---|---|---|
| +0 :ok: | reexec | 1m 26s | Docker mode activated. |
| _ Prechecks _ | |||
| +1 :green_heart: | dupname | 0m 0s | No case conflicting files found. |
| +1 :green_heart: | hbaseanti | 0m 0s | Patch does not have any anti-patterns. |
| +1 :green_heart: | @author | 0m 0s | The patch does not contain any @author tags. |
| _ master Compile Tests _ | |||
| +0 :ok: | mvndep | 0m 21s | Maven dependency ordering for branch |
| +1 :green_heart: | mvninstall | 3m 27s | master passed |
| +1 :green_heart: | compile | 9m 43s | master passed |
| +1 :green_heart: | checkstyle | 1m 22s | master passed |
| +1 :green_heart: | spotless | 0m 57s | branch has no errors when running spotless:check. |
| +1 :green_heart: | spotbugs | 15m 2s | master passed |
| _ Patch Compile Tests _ | |||
| +0 :ok: | mvndep | 0m 16s | Maven dependency ordering for patch |
| +1 :green_heart: | mvninstall | 3m 19s | the patch passed |
| +1 :green_heart: | compile | 8m 46s | the patch passed |
| -0 :warning: | javac | 8m 46s | root generated 3 new + 707 unchanged - 0 fixed = 710 total (was 707) |
| +1 :green_heart: | checkstyle | 1m 19s | the patch passed |
| +1 :green_heart: | whitespace | 0m 0s | The patch has no whitespace issues. |
| +1 :green_heart: | xml | 0m 2s | The patch has no ill-formed XML file. |
| +1 :green_heart: | hadoopcheck | 10m 55s | Patch does not cause any errors with Hadoop 3.2.4 3.3.4. |
| +1 :green_heart: | spotless | 0m 52s | patch has no errors when running spotless:check. |
| +1 :green_heart: | spotbugs | 15m 57s | the patch passed |
| _ Other Tests _ | |||
| +1 :green_heart: | asflicense | 0m 52s | The patch does not generate ASF License warnings. |
| 82m 31s |
| Subsystem | Report/Notes |
|---|---|
| Docker | ClientAPI=1.41 ServerAPI=1.41 base: https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-4733/2/artifact/yetus-general-check/output/Dockerfile |
| GITHUB PR | https://github.com/apache/hbase/pull/4733 |
| Optional Tests | dupname asflicense javac spotbugs hadoopcheck hbaseanti spotless checkstyle compile xml |
| uname | Linux b3cdeb7656d8 5.4.0-124-generic #140-Ubuntu SMP Thu Aug 4 02:23:37 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux |
| Build tool | maven |
| Personality | dev-support/hbase-personality.sh |
| git revision | master / 37651ee1b0 |
| Default Java | AdoptOpenJDK-1.8.0_282-b08 |
| javac | https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-4733/2/artifact/yetus-general-check/output/diff-compile-javac-root.txt |
| Max. process+thread count | 138 (vs. ulimit of 30000) |
| modules | C: hbase-common hbase-client hbase-resource-bundle hbase-server hbase-examples . U: . |
| Console output | https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-4733/2/console |
| versions | git=2.17.1 maven=3.6.3 spotbugs=4.2.2 |
| Powered by | Apache Yetus 0.12.0 https://yetus.apache.org |
This message was automatically generated.
:confetti_ball: +1 overall
| Vote | Subsystem | Runtime | Comment |
|---|---|---|---|
| +0 :ok: | reexec | 0m 41s | Docker mode activated. |
| -0 :warning: | yetus | 0m 2s | Unprocessed flag(s): --brief-report-file --spotbugs-strict-precheck --whitespace-eol-ignore-list --whitespace-tabs-ignore-list --quick-hadoopcheck |
| _ Prechecks _ | |||
| _ master Compile Tests _ | |||
| +0 :ok: | mvndep | 0m 20s | Maven dependency ordering for branch |
| +1 :green_heart: | mvninstall | 2m 40s | master passed |
| +1 :green_heart: | compile | 1m 47s | master passed |
| +1 :green_heart: | shadedjars | 3m 53s | branch has no errors when building our shaded downstream artifacts. |
| +1 :green_heart: | javadoc | 2m 53s | master passed |
| _ Patch Compile Tests _ | |||
| +0 :ok: | mvndep | 0m 14s | Maven dependency ordering for patch |
| +1 :green_heart: | mvninstall | 2m 27s | the patch passed |
| +1 :green_heart: | compile | 1m 43s | the patch passed |
| +1 :green_heart: | javac | 1m 43s | the patch passed |
| +1 :green_heart: | shadedjars | 3m 53s | patch has no errors when building our shaded downstream artifacts. |
| +1 :green_heart: | javadoc | 2m 54s | the patch passed |
| _ Other Tests _ | |||
| +1 :green_heart: | unit | 249m 44s | root in the patch passed. |
| 276m 22s |
| Subsystem | Report/Notes |
|---|---|
| Docker | ClientAPI=1.41 ServerAPI=1.41 base: https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-4733/2/artifact/yetus-jdk11-hadoop3-check/output/Dockerfile |
| GITHUB PR | https://github.com/apache/hbase/pull/4733 |
| Optional Tests | javac javadoc unit shadedjars compile |
| uname | Linux b765cb021a83 5.4.0-1081-aws #88~18.04.1-Ubuntu SMP Thu Jun 23 16:29:17 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux |
| Build tool | maven |
| Personality | dev-support/hbase-personality.sh |
| git revision | master / 37651ee1b0 |
| Default Java | AdoptOpenJDK-11.0.10+9 |
| Test Results | https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-4733/2/testReport/ |
| Max. process+thread count | 4757 (vs. ulimit of 30000) |
| modules | C: hbase-common hbase-client hbase-resource-bundle hbase-server hbase-examples . U: . |
| Console output | https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-4733/2/console |
| versions | git=2.17.1 maven=3.6.3 |
| Powered by | Apache Yetus 0.12.0 https://yetus.apache.org |
This message was automatically generated.
:confetti_ball: +1 overall
| Vote | Subsystem | Runtime | Comment |
|---|---|---|---|
| +0 :ok: | reexec | 0m 19s | Docker mode activated. |
| -0 :warning: | yetus | 0m 3s | Unprocessed flag(s): --brief-report-file --spotbugs-strict-precheck --whitespace-eol-ignore-list --whitespace-tabs-ignore-list --quick-hadoopcheck |
| _ Prechecks _ | |||
| _ master Compile Tests _ | |||
| +0 :ok: | mvndep | 0m 18s | Maven dependency ordering for branch |
| +1 :green_heart: | mvninstall | 2m 21s | master passed |
| +1 :green_heart: | compile | 1m 36s | master passed |
| +1 :green_heart: | shadedjars | 3m 46s | branch has no errors when building our shaded downstream artifacts. |
| +1 :green_heart: | javadoc | 2m 38s | master passed |
| _ Patch Compile Tests _ | |||
| +0 :ok: | mvndep | 0m 14s | Maven dependency ordering for patch |
| +1 :green_heart: | mvninstall | 2m 14s | the patch passed |
| +1 :green_heart: | compile | 1m 37s | the patch passed |
| +1 :green_heart: | javac | 1m 37s | the patch passed |
| +1 :green_heart: | shadedjars | 3m 45s | patch has no errors when building our shaded downstream artifacts. |
| +1 :green_heart: | javadoc | 2m 39s | the patch passed |
| _ Other Tests _ | |||
| +1 :green_heart: | unit | 376m 13s | root in the patch passed. |
| 400m 5s |
| Subsystem | Report/Notes |
|---|---|
| Docker | ClientAPI=1.41 ServerAPI=1.41 base: https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-4733/2/artifact/yetus-jdk8-hadoop3-check/output/Dockerfile |
| GITHUB PR | https://github.com/apache/hbase/pull/4733 |
| Optional Tests | javac javadoc unit shadedjars compile |
| uname | Linux 398b44e09ce9 5.4.0-124-generic #140-Ubuntu SMP Thu Aug 4 02:23:37 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux |
| Build tool | maven |
| Personality | dev-support/hbase-personality.sh |
| git revision | master / 37651ee1b0 |
| Default Java | AdoptOpenJDK-1.8.0_282-b08 |
| Test Results | https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-4733/2/testReport/ |
| Max. process+thread count | 4614 (vs. ulimit of 30000) |
| modules | C: hbase-common hbase-client hbase-resource-bundle hbase-server hbase-examples . U: . |
| Console output | https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-4733/2/console |
| versions | git=2.17.1 maven=3.6.3 |
| Powered by | Apache Yetus 0.12.0 https://yetus.apache.org |
This message was automatically generated.
Thanks @taklwu , I've updated the minimum configuration in the description with more details.
Sorry for the confusion, I've decided to abandon the feature branch to speed up the rebasing and the process. Please let me know if you think it would be better to go back and continue working on the feature branch instead.
@joshelser
but why HBASE-26655 does not have a link to https://github.com/apache/hbase/pull/4019 ?
I see the link in the jira.