hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Pankaj Kumar (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-14425) In Secure Zookeeper cluster superuser will not have sufficient permission if muliple values are configured in "hbase.superuser"
Date Mon, 14 Sep 2015 13:07:45 GMT

    [ https://issues.apache.org/jira/browse/HBASE-14425?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14743490#comment-14743490
] 

Pankaj Kumar commented on HBASE-14425:
--------------------------------------

One more issue in this,
{code}
      if (superUser != null) {
        acls.add(new ACL(Perms.ALL, new Id("auth", superUser)));
      }
{code}

Here scheme is presently hard coded as "auth", actually it should be based on the auth provider
configured at ZK. 
I will raise another JIRA for this issue.

> In Secure Zookeeper cluster superuser will not have sufficient permission if muliple
values are configured in "hbase.superuser"
> -------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: HBASE-14425
>                 URL: https://issues.apache.org/jira/browse/HBASE-14425
>             Project: HBase
>          Issue Type: Bug
>            Reporter: Pankaj Kumar
>            Assignee: Pankaj Kumar
>
> During master intialization we are setting ACLs for the znodes.
> In ZKUtil.createACL(ZooKeeperWatcher zkw, String node, boolean isSecureZooKeeper),
> {code}
>       String superUser = zkw.getConfiguration().get("hbase.superuser");
>       ArrayList<ACL> acls = new ArrayList<ACL>();
>       // add permission to hbase supper user
>       if (superUser != null) {
>         acls.add(new ACL(Perms.ALL, new Id("auth", superUser)));
>       }
> {code}
> Here we are directly setting "hbase.superuser" value to Znode which will cause an issue
when multiple values are configured. In "hbase.superuser" multiple superusers and supergroups
can be configured separated by comma. We need to iterate them and set ACL.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message