hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Purtell (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HBASE-15200) ZooKeeper znode ACL checks should only compare the shortname
Date Mon, 01 Feb 2016 17:50:39 GMT

     [ https://issues.apache.org/jira/browse/HBASE-15200?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Andrew Purtell updated HBASE-15200:
-----------------------------------
    Attachment: HBASE-15200.patch

Patch that fixes the comparison and also adds DEBUG level logging for reporting on the cause
of a permission check failure. This patch should apply to just about any version, maybe with
minor fuzz. 

> ZooKeeper znode ACL checks should only compare the shortname
> ------------------------------------------------------------
>
>                 Key: HBASE-15200
>                 URL: https://issues.apache.org/jira/browse/HBASE-15200
>             Project: HBase
>          Issue Type: Bug
>    Affects Versions: 2.0.0, 1.2.0, 1.0.3, 1.1.3, 0.98.17
>            Reporter: Andrew Purtell
>            Assignee: Andrew Purtell
>            Priority: Minor
>             Fix For: 2.0.0, 1.3.0, 1.1.4, 0.98.18
>
>         Attachments: HBASE-15200.patch
>
>
> After HBASE-13768 we check at startup in secure configurations if our znodes have the
correct ACLs. However when checking the ACL we compare the Kerberos fullname, which includes
the host component. We should only compare the shortname, the principal. Otherwise in a multimaster
configuration we will unnecessarily reset ACLs whenever any master running on a host other
than the one that initialized the ACLs makes the check. You can imagine this happening multiple
times in a rolling restart scenario.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message