hbase-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aleksandr Shulman (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HBASE-9973) [ACL]: Users with 'Admin' ACL permission will lose permissions after upgrade to 0.96.x from 0.94.x or 0.92.x
Date Thu, 14 Nov 2013 19:11:21 GMT
Aleksandr Shulman created HBASE-9973:
----------------------------------------

             Summary: [ACL]: Users with 'Admin' ACL permission will lose permissions after
upgrade to 0.96.x from 0.94.x or 0.92.x
                 Key: HBASE-9973
                 URL: https://issues.apache.org/jira/browse/HBASE-9973
             Project: HBase
          Issue Type: Bug
          Components: security
    Affects Versions: 0.96.0, 0.96.1
            Reporter: Aleksandr Shulman
             Fix For: 0.96.1


In our testing, we have uncovered that the ACL permissions for users with the 'A' credential
do not hold after the upgrade to 0.96.x.

This is because in the ACL table, the entry for the admin user is a permission on the '_acl_'
table with permission 'A'. However, because of the namespace transition, there is no longer
an '_acl_' table. Therefore, that entry in the hbase:acl table is no longer valid.

Example:

{code}hbase(main):002:0> scan 'hbase:acl'
ROW                   COLUMN+CELL                                               
 TestTable            column=l:hdfs, timestamp=1384454830701, value=RW          
 TestTable            column=l:root, timestamp=1384455875586, value=RWCA        
 _acl_                column=l:root, timestamp=1384454767568, value=C           
 _acl_                column=l:tableAdmin, timestamp=1384454788035, value=A     
 hbase:acl            column=l:root, timestamp=1384455875786, value=C           
{code}

In this case, the following entry becomes meaningless:
{code} _acl_                column=l:tableAdmin, timestamp=1384454788035, value=A     {code}

As a result, 

Proposed fix:
I see the fix being relatively straightforward. As part of the migration, change any entries
in the '_acl_' table with key '_acl_' into a new row with key 'hbase:acl', all else being
the same. And the old entry would be deleted.

This can go into the standard migration script that we expect users to run.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

Mime
View raw message