hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Enis Soztutar (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-9973) [ACL]: Users with 'Admin' ACL permission will lose permissions after upgrade to 0.96.x from 0.94.x or 0.92.x
Date Mon, 18 Nov 2013 18:45:21 GMT

    [ https://issues.apache.org/jira/browse/HBASE-9973?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13825604#comment-13825604
] 

Enis Soztutar commented on HBASE-9973:
--------------------------------------

+1. Nice find. 

> [ACL]: Users with 'Admin' ACL permission will lose permissions after upgrade to 0.96.x
from 0.94.x or 0.92.x
> ------------------------------------------------------------------------------------------------------------
>
>                 Key: HBASE-9973
>                 URL: https://issues.apache.org/jira/browse/HBASE-9973
>             Project: HBase
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 0.96.0, 0.96.1
>            Reporter: Aleksandr Shulman
>            Assignee: Himanshu Vashishtha
>              Labels: acl
>             Fix For: 0.96.1
>
>         Attachments: 9973-v2.patch, 9973-v2.patch, 9973.patch
>
>
> In our testing, we have uncovered that the ACL permissions for users with the 'A' credential
do not hold after the upgrade to 0.96.x.
> This is because in the ACL table, the entry for the admin user is a permission on the
'_acl_' table with permission 'A'. However, because of the namespace transition, there is
no longer an '_acl_' table. Therefore, that entry in the hbase:acl table is no longer valid.
> Example:
> {code}hbase(main):002:0> scan 'hbase:acl'
> ROW                   COLUMN+CELL                                               
>  TestTable            column=l:hdfs, timestamp=1384454830701, value=RW          
>  TestTable            column=l:root, timestamp=1384455875586, value=RWCA        
>  _acl_                column=l:root, timestamp=1384454767568, value=C           
>  _acl_                column=l:tableAdmin, timestamp=1384454788035, value=A     
>  hbase:acl            column=l:root, timestamp=1384455875786, value=C           
> {code}
> In this case, the following entry becomes meaningless:
> {code} _acl_                column=l:tableAdmin, timestamp=1384454788035, value=A   
 {code}
> As a result, 
> Proposed fix:
> I see the fix being relatively straightforward. As part of the migration, change any
entries in the '_acl_' table with key '_acl_' into a new row with key 'hbase:acl', all else
being the same. And the old entry would be deleted.
> This can go into the standard migration script that we expect users to run.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

Mime
View raw message