hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Enis Soztutar (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (HBASE-16203) may be a bug on hbase authorization
Date Sun, 17 Jul 2016 21:21:20 GMT

     [ https://issues.apache.org/jira/browse/HBASE-16203?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Enis Soztutar resolved HBASE-16203.
    Resolution: Invalid

Can you please ask the question user@hbase.apache.org or dev@hbase.apache.org.  

In short, you should give authorization to a principal (like newUser), rather than an instance
of the principle, like "newUser/hostname@DOMAIN". 

> may be a bug on hbase authorization
> -----------------------------------
>                 Key: HBASE-16203
>                 URL: https://issues.apache.org/jira/browse/HBASE-16203
>             Project: HBase
>          Issue Type: Bug
>    Affects Versions: 0.98.10
>            Reporter: wangyongqiang
> in hbase with kerbose and authorization on, I enter hbase shell with a hbase super user,
and do the following steps:
> {quote}
> 1. grant  "newUser/slave2@HADOOP.COM"
> "newUser/slave2@HADOOP.COM" is one of the kerbose principles
> 2. exit hbase shell
> 3. enter hbase shell again with principle "newUser/slave2@HADOOP.COM"
> 4. scan 't1'
> t1 is one of the table in hbase
> {quote}
> the result is: AccessDeniedException 
> after debug regionServer code, I find the problem is:
> {quote}
> 1. when we grant the global admin to "newUser/slave2@HADOOP.COM", TableAuthManager store
this info with the whole name, newUser/slave2@HADOOP.COM
> 2. when we enter hbase shell with principle "newUser/slave2@HADOOP.COM" and scan table,
regionServer will do do authorization check, such as check if the user is superUser
> when do this check, use the short name(newUser), not the whole name(newUser/slave2@HADOOP.COM)
> {quote}

This message was sent by Atlassian JIRA

View raw message