Return-Path: X-Original-To: apmail-hbase-issues-archive@www.apache.org Delivered-To: apmail-hbase-issues-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id C1D521959D for ; Wed, 6 Apr 2016 13:19:25 +0000 (UTC) Received: (qmail 14549 invoked by uid 500); 6 Apr 2016 13:19:25 -0000 Delivered-To: apmail-hbase-issues-archive@hbase.apache.org Received: (qmail 14501 invoked by uid 500); 6 Apr 2016 13:19:25 -0000 Mailing-List: contact issues-help@hbase.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list issues@hbase.apache.org Received: (qmail 14483 invoked by uid 99); 6 Apr 2016 13:19:25 -0000 Received: from arcas.apache.org (HELO arcas) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 06 Apr 2016 13:19:25 +0000 Received: from arcas.apache.org (localhost [127.0.0.1]) by arcas (Postfix) with ESMTP id 707D52C1F58 for ; Wed, 6 Apr 2016 13:19:25 +0000 (UTC) Date: Wed, 6 Apr 2016 13:19:25 +0000 (UTC) From: "Yu Li (JIRA)" To: issues@hbase.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (HBASE-15577) there need be a mechanism to enable ZK's ACL check when the authentication strategy is simple MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HBASE-15577?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15228223#comment-15228223 ] Yu Li commented on HBASE-15577: ------------------------------- bq. the reason why of the HMaster.MASTER & HRegionServer.REGIONSERVER not used is because of hbase-client has no dependency on the hbase-server Ok, then I suggest to move the constants into HConstants, and use them for all, if necessary. bq. the client just need some auth to read the ZK's node, but can't modify them. The auth config is read from the configuration file, right? IMO it's better to control the access through configuration (wrong auth won't be able to access). OTOH, since ZookeeperWatcher is {{IA.Private}}, if no special design for UT case, I think we could even remove the identifier check. W.r.t unit test, it would be great if you could refer to {{TestZooKeeperACL}} to add a case for the sanity test steps in description. Thanks. > there need be a mechanism to enable ZK's ACL check when the authentication strategy is simple > --------------------------------------------------------------------------------------------- > > Key: HBASE-15577 > URL: https://issues.apache.org/jira/browse/HBASE-15577 > Project: HBase > Issue Type: Improvement > Affects Versions: 1.1.3 > Reporter: chenxu > Assignee: chenxu > Attachments: HBASE-15577-02.patch, HBASE-15577.patch, zk-set-acl.patch > > > if the hbase.security.authentication is set to simple, the ZKUtil.createACL just return Ids.OPEN_ACL_UNSAFE, means that there is no ACL check on the ZK's node. > we can refactoring this to enables the ACL's check function > manual steps to verify the patch > *1.set this property in the hbase-site.xml* > {quote} > hbase.security.authentication(simple) > hbase.zookeeper.acl (digest:admin:0DPiKuNIrrVmD8IUCuw1hQxNqZc=:cdrwa) > hbase.zookeeper.auth(digest:admin) > {quote} > the digest can generate by the DigestAuthenticationProvider.generateDigest("admin") > *2.start the cluster* > *3.verify the zk's node* > {quote} > (1)getAcl /hbase, result is: > 'digest,'admin:0DPiKuNIrrVmD8IUCuw1hQxNqZc= : cdrwa > 'world,'anyone: r > (2)getAcl /hbase/table-lock, result is: > 'digest,'admin:0DPiKuNIrrVmD8IUCuw1hQxNqZc= : cdrwa > {quote} > if the node is below, all the client can read the node, but only the server(Regionserver & Master which has the auth info) can modify it > {quote} > /hbase > /hbase/meta-region-server > /hbase/master > /hbase/hbaseid > /hbase/rs > /hbase/table > /hbase/table/$tableName > {quote} > otherwise, only the server can read and modify the node, the Client can't see them -- This message was sent by Atlassian JIRA (v6.3.4#6332)