Return-Path: X-Original-To: apmail-hbase-issues-archive@www.apache.org Delivered-To: apmail-hbase-issues-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 25D9218A65 for ; Thu, 4 Feb 2016 08:17:48 +0000 (UTC) Received: (qmail 35432 invoked by uid 500); 4 Feb 2016 08:17:40 -0000 Delivered-To: apmail-hbase-issues-archive@hbase.apache.org Received: (qmail 35335 invoked by uid 500); 4 Feb 2016 08:17:40 -0000 Mailing-List: contact issues-help@hbase.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list issues@hbase.apache.org Received: (qmail 35076 invoked by uid 99); 4 Feb 2016 08:17:40 -0000 Received: from arcas.apache.org (HELO arcas) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 04 Feb 2016 08:17:40 +0000 Received: from arcas.apache.org (localhost [127.0.0.1]) by arcas (Postfix) with ESMTP id D7FCB2C1F60 for ; Thu, 4 Feb 2016 08:17:39 +0000 (UTC) Date: Thu, 4 Feb 2016 08:17:39 +0000 (UTC) From: "stack (JIRA)" To: issues@hbase.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (HBASE-15200) ZooKeeper znode ACL checks should only compare the shortname MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HBASE-15200?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15131925#comment-15131925 ] stack commented on HBASE-15200: ------------------------------- Are those your findbugs that are showing now [~apurtell]? See over here in HBASE-15177 , https://builds.apache.org/job/PreCommit-HBASE-Build/424/artifact/patchprocess/branch-findbugs-hbase-client-warnings.html Thanks. > ZooKeeper znode ACL checks should only compare the shortname > ------------------------------------------------------------ > > Key: HBASE-15200 > URL: https://issues.apache.org/jira/browse/HBASE-15200 > Project: HBase > Issue Type: Bug > Affects Versions: 2.0.0, 1.2.0, 1.0.3, 1.1.3, 0.98.17 > Reporter: Andrew Purtell > Assignee: Andrew Purtell > Priority: Minor > Fix For: 2.0.0, 1.3.0, 1.2.1, 1.1.4, 1.0.4, 0.98.18 > > Attachments: HBASE-15200-branch-1.0.patch, HBASE-15200-branch-1.1.patch, HBASE-15200.patch, HBASE-15200.patch > > > After HBASE-13768 we check at startup in secure configurations if our znodes have the correct ACLs. However when checking the ACL we compare the Kerberos fullname, which includes the host component. We should only compare the shortname, the principal. Otherwise in a multimaster configuration we will unnecessarily reset ACLs whenever any master running on a host other than the one that initialized the ACLs makes the check. You can imagine this happening multiple times in a rolling restart scenario. -- This message was sent by Atlassian JIRA (v6.3.4#6332)