hbase-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Josh Elser (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HBASE-17717) Incorrect ZK ACL set for HBase superuser
Date Wed, 01 Mar 2017 23:27:45 GMT
Josh Elser created HBASE-17717:
----------------------------------

             Summary: Incorrect ZK ACL set for HBase superuser
                 Key: HBASE-17717
                 URL: https://issues.apache.org/jira/browse/HBASE-17717
             Project: HBase
          Issue Type: Bug
          Components: security, Zookeeper
            Reporter: Shreya Bhat
            Assignee: Josh Elser
             Fix For: 2.0.0, 1.3.1, 1.1.10, 1.2.6


Shreya was doing some testing of a deploy of HBase, verifying that the ZK ACLs were actually
set as we expect (yay, security).

She noticed that, in some cases, we were seeing multiple ACLs for the same user.

{noformat}
'world,'anyone
: r
'sasl,'hbase
: cdrwa
'sasl,'hbase
: cdrwa
{noformat}

After digging into this (and some insight from the mighty [~enis]), we realized that this
was happening because of an overridden value for {{hbase.superuser}}. However, the ACL value
doesn't match what we'd expect to see (as hbase.superuser was set to {{cstm-hbase}}).

After digging into this code, it seems like the {{auth}} ACL scheme in ZooKeeper does not
work as we expect.

{code}
      if (superUser != null) {
        acls.add(new ACL(Perms.ALL, new Id("auth", superUser)));
      }
{code}

In the above, the {{"auth"}} scheme ignores any provided "subject" in the {{Id}} object. It
*only* considers the authentication of the current connection. As such, our usage of this
never actually sets the ACL for the superuser correctly.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message