hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ted Yu (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HBASE-8213) global authorization may lose efficacy
Date Mon, 01 Apr 2013 16:29:16 GMT

     [ https://issues.apache.org/jira/browse/HBASE-8213?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Ted Yu updated HBASE-8213:
--------------------------

    Affects Version/s:     (was: 0.94.7)
                       0.94.6
        Fix Version/s: 0.94.7
                       0.98.0
                       0.95.0
         Hadoop Flags: Reviewed
    
> global authorization may lose efficacy 
> ---------------------------------------
>
>                 Key: HBASE-8213
>                 URL: https://issues.apache.org/jira/browse/HBASE-8213
>             Project: HBase
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 0.95.0, 0.96.0, 0.94.6
>            Reporter: Jieshan Bean
>            Assignee: Jieshan Bean
>            Priority: Critical
>             Fix For: 0.95.0, 0.98.0, 0.94.7
>
>         Attachments: HBASE-8213-94.patch, HBASE-8213-trunk.patch
>
>
> It depends on the order of which region be opened first.  
> Suppose we have one 1 regionserver and only 1 user region REGION-A on this server, _acl_
region was on another regionserver. _acl_ was opened a few seconds before REGION-A.
> The global authorization data read from Zookeeper was overwritten by the data read from
configuration.
> {code}
>   private TableAuthManager(ZooKeeperWatcher watcher, Configuration conf)
>       throws IOException {
>     this.conf = conf;
>     this.zkperms = new ZKPermissionWatcher(watcher, this, conf);
>     try {
> 	  // Read global authorization data from zookeeper. 
>       this.zkperms.start();
>     } catch (KeeperException ke) {
>       LOG.error("ZooKeeper initialization failed", ke);
>     }
>     // It will overwrite globalCache.
>     // initialize global permissions based on configuration
>     globalCache = initGlobal(conf);
>   }
> {code}
> This issue can be easily reproduced by below steps:
> 1. Start a cluster with 3 regionservers.
> 2. Create a new table T1.
> 3. grant a new user USER-A with global authorization.
> 4. Kill 1 regionserver RS3 and switch balance off.
> 5. Start regionserver RS3.
> 6. Assign region T1 to RS3.
> 7. Put data with user USER-A.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message