hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Enis Soztutar (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-13769) Some ZK ACLs are unnecessarily permissive
Date Wed, 01 Jul 2015 23:23:05 GMT

    [ https://issues.apache.org/jira/browse/HBASE-13769?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14611165#comment-14611165
] 

Enis Soztutar commented on HBASE-13769:
---------------------------------------

This is the current logic for isClientReadable after 13768: 
{code}
  public boolean isClientReadable(String node) {
    return
        node.equals(baseZNode) ||
        isAnyMetaReplicaZnode(node) ||
        node.equals(getMasterAddressZNode()) ||
        node.equals(clusterIdZNode)||
        node.equals(rsZNode) ||
        // /hbase/table and /hbase/table/foo is allowed, /hbase/table-lock is not
        node.equals(tableZNode) ||
        node.startsWith(tableZNode + "/");
{code}
from the above list, the only fishy one is rsZNode. Not sure whether that needs to be visible
to the clients. Other than that, all others should be needed. 
We can abstract away zk altogether from the client side, but it is a different discussion.


> Some ZK ACLs are unnecessarily permissive
> -----------------------------------------
>
>                 Key: HBASE-13769
>                 URL: https://issues.apache.org/jira/browse/HBASE-13769
>             Project: HBase
>          Issue Type: Bug
>            Reporter: Andrew Purtell
>            Priority: Critical
>
> Some ZK ACLs are unnecessarily permissive. We can remove permissions for 'world' on backup-masters/,
region-in-transition/, rs/, and table/.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message