hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Josh Elser (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-17717) Incorrect ZK ACL set for HBase superuser
Date Thu, 02 Mar 2017 16:43:45 GMT

    [ https://issues.apache.org/jira/browse/HBASE-17717?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15892577#comment-15892577
] 

Josh Elser commented on HBASE-17717:
------------------------------------

bq. The documentation on the zookeeper side is not explicit unfortunately.

Yes, this is unfortunate for sure.

bq. So it only replaces auth with sasl iff the user principal matches with the current user

My understanding is that when the client setting an ACL includes one with {{auth}} as the
scheme, the ACL is modified (before being set on the znode) to be the current user's authenticated
credentials.

It seems like, somehow, this was still being treated as unique to the explicit {{sasl:hbase}}
ACL that we also set (thus, two ACLs showing up). Let me poke in the ZK code and try to understand
this a little more..

> Incorrect ZK ACL set for HBase superuser
> ----------------------------------------
>
>                 Key: HBASE-17717
>                 URL: https://issues.apache.org/jira/browse/HBASE-17717
>             Project: HBase
>          Issue Type: Bug
>          Components: security, Zookeeper
>            Reporter: Shreya Bhat
>            Assignee: Josh Elser
>             Fix For: 2.0.0, 1.3.1, 1.1.10, 1.2.6
>
>         Attachments: HBASE-17717.001.patch
>
>
> Shreya was doing some testing of a deploy of HBase, verifying that the ZK ACLs were actually
set as we expect (yay, security).
> She noticed that, in some cases, we were seeing multiple ACLs for the same user.
> {noformat}
> 'world,'anyone
> : r
> 'sasl,'hbase
> : cdrwa
> 'sasl,'hbase
> : cdrwa
> {noformat}
> After digging into this (and some insight from the mighty [~enis]), we realized that
this was happening because of an overridden value for {{hbase.superuser}}. However, the ACL
value doesn't match what we'd expect to see (as hbase.superuser was set to {{cstm-hbase}}).
> After digging into this code, it seems like the {{auth}} ACL scheme in ZooKeeper does
not work as we expect.
> {code}
>       if (superUser != null) {
>         acls.add(new ACL(Perms.ALL, new Id("auth", superUser)));
>       }
> {code}
> In the above, the {{"auth"}} scheme ignores any provided "subject" in the {{Id}} object.
It *only* considers the authentication of the current connection. As such, our usage of this
never actually sets the ACL for the superuser correctly.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message