hbase-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "wangyongqiang (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HBASE-16203) may be a bug on hbase authorization
Date Sat, 09 Jul 2016 09:00:19 GMT
wangyongqiang created HBASE-16203:
-------------------------------------

             Summary: may be a bug on hbase authorization
                 Key: HBASE-16203
                 URL: https://issues.apache.org/jira/browse/HBASE-16203
             Project: HBase
          Issue Type: Bug
    Affects Versions: 0.98.10
            Reporter: wangyongqiang


in hbase with kerbose and authorization on, I enter hbase shell with a hbase super user, and
do the following steps:
{quote}
1. grant  "newUser/slave2@HADOOP.COM"
"newUser/slave2@HADOOP.COM" is one of the kerbose principles

2. exit hbase shell

3. enter hbase shell again with principle "newUser/slave2@HADOOP.COM"

4. scan 't1'
t1 is one of the table in hbase
{quote}

the result is: AccessDeniedException 

after debug regionServer code, I find the problem is:
{quote}
1. when we grant the global admin to "newUser/slave2@HADOOP.COM", TableAuthManager store this
info with the whole name, newUser/slave2@HADOOP.COM

2. when we enter hbase shell with principle "newUser/slave2@HADOOP.COM" and scan table, regionServer
will do do authorization check, such as check if the user is superUser
when do this check, use the short name(newUser), not the whole name(newUser/slave2@HADOOP.COM)

{quote}





--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message