hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "chenxu (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HBASE-15577) there need be a mechanism to enable ZK's ACL check when the authentication strategy is simple
Date Fri, 08 Apr 2016 05:02:25 GMT

     [ https://issues.apache.org/jira/browse/HBASE-15577?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

chenxu updated HBASE-15577:
---------------------------
    Attachment: HBASE-15577-03.patch

> there need be a mechanism to enable ZK's ACL check when the authentication strategy is
simple
> ---------------------------------------------------------------------------------------------
>
>                 Key: HBASE-15577
>                 URL: https://issues.apache.org/jira/browse/HBASE-15577
>             Project: HBase
>          Issue Type: Improvement
>    Affects Versions: 1.1.3
>            Reporter: chenxu
>            Assignee: chenxu
>         Attachments: HBASE-15577-02.patch, HBASE-15577-03.patch, HBASE-15577.patch, zk-set-acl.patch
>
>
> if the hbase.security.authentication is set to simple, the ZKUtil.createACL just return
Ids.OPEN_ACL_UNSAFE, means that there is no ACL check on the ZK's node.
> we can refactoring this to enables the ACL's check function
> manual steps to verify the patch
> *1.set this property in the hbase-site.xml*
> {quote}
>    hbase.security.authentication(simple)
>    hbase.zookeeper.acl (digest:admin:0DPiKuNIrrVmD8IUCuw1hQxNqZc=:cdrwa)
>    hbase.zookeeper.auth(digest:admin)
> {quote}
> the digest can generate by the DigestAuthenticationProvider.generateDigest("admin")
> *2.start the cluster*
> *3.verify the zk's node*
> {quote}
>    (1)getAcl /hbase, result is:
>        'digest,'admin:0DPiKuNIrrVmD8IUCuw1hQxNqZc= : cdrwa
>        'world,'anyone: r
>    (2)getAcl /hbase/table-lock, result is:
>        'digest,'admin:0DPiKuNIrrVmD8IUCuw1hQxNqZc= : cdrwa
> {quote}
> if the node is below, all the client can read the node, but only the server(Regionserver
& Master which has the auth info) can modify it
> {quote}
>   /hbase
>   /hbase/meta-region-server
>   /hbase/master
>   /hbase/hbaseid
>   /hbase/rs
>   /hbase/table
>   /hbase/table/$tableName
> {quote}
> otherwise, only the server can read and modify the node, the Client can't see them



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message