hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Yu Li (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-15577) there need be a mechanism to enable ZK's ACL check when the authentication strategy is simple
Date Wed, 06 Apr 2016 13:19:25 GMT

    [ https://issues.apache.org/jira/browse/HBASE-15577?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15228223#comment-15228223
] 

Yu Li commented on HBASE-15577:
-------------------------------

bq. the reason why of the HMaster.MASTER & HRegionServer.REGIONSERVER not used is because
of hbase-client has no dependency on the hbase-server
Ok, then I suggest to move the constants into HConstants, and use them for all, if necessary.

bq. the client just need some auth to read the ZK's node, but can't modify them.
The auth config is read from the configuration file, right? IMO it's better to control the
access through configuration (wrong auth won't be able to access). OTOH, since ZookeeperWatcher
is {{IA.Private}}, if no special design for UT case, I think we could even remove the identifier
check.

W.r.t unit test, it would be great if you could refer to {{TestZooKeeperACL}} to add a case
for the sanity test steps in description. Thanks.

> there need be a mechanism to enable ZK's ACL check when the authentication strategy is
simple
> ---------------------------------------------------------------------------------------------
>
>                 Key: HBASE-15577
>                 URL: https://issues.apache.org/jira/browse/HBASE-15577
>             Project: HBase
>          Issue Type: Improvement
>    Affects Versions: 1.1.3
>            Reporter: chenxu
>            Assignee: chenxu
>         Attachments: HBASE-15577-02.patch, HBASE-15577.patch, zk-set-acl.patch
>
>
> if the hbase.security.authentication is set to simple, the ZKUtil.createACL just return
Ids.OPEN_ACL_UNSAFE, means that there is no ACL check on the ZK's node.
> we can refactoring this to enables the ACL's check function
> manual steps to verify the patch
> *1.set this property in the hbase-site.xml*
> {quote}
>    hbase.security.authentication(simple)
>    hbase.zookeeper.acl (digest:admin:0DPiKuNIrrVmD8IUCuw1hQxNqZc=:cdrwa)
>    hbase.zookeeper.auth(digest:admin)
> {quote}
> the digest can generate by the DigestAuthenticationProvider.generateDigest("admin")
> *2.start the cluster*
> *3.verify the zk's node*
> {quote}
>    (1)getAcl /hbase, result is:
>        'digest,'admin:0DPiKuNIrrVmD8IUCuw1hQxNqZc= : cdrwa
>        'world,'anyone: r
>    (2)getAcl /hbase/table-lock, result is:
>        'digest,'admin:0DPiKuNIrrVmD8IUCuw1hQxNqZc= : cdrwa
> {quote}
> if the node is below, all the client can read the node, but only the server(Regionserver
& Master which has the auth info) can modify it
> {quote}
>   /hbase
>   /hbase/meta-region-server
>   /hbase/master
>   /hbase/hbaseid
>   /hbase/rs
>   /hbase/table
>   /hbase/table/$tableName
> {quote}
> otherwise, only the server can read and modify the node, the Client can't see them



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message