hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Josh Elser (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HBASE-17717) Incorrect ZK ACL set for HBase superuser
Date Thu, 02 Mar 2017 20:46:45 GMT

     [ https://issues.apache.org/jira/browse/HBASE-17717?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Josh Elser updated HBASE-17717:
    Release Note: In previous versions of HBase, the system intended to set a ZooKeeper ACL
on all "sensitive" ZNodes for the user specified in the hbase.superuser configuration property.
Unfortunately, the ACL was malformed which resulted in the hbase.superuser being unable to
access the sensitive ZNodes that HBase creates. This JIRA issue fixes this bug. HBase will
automatically correct the ACLs on start so users do not need to manually correct the ACLs.

> Incorrect ZK ACL set for HBase superuser
> ----------------------------------------
>                 Key: HBASE-17717
>                 URL: https://issues.apache.org/jira/browse/HBASE-17717
>             Project: HBase
>          Issue Type: Bug
>          Components: security, Zookeeper
>            Reporter: Shreya Bhat
>            Assignee: Josh Elser
>             Fix For: 2.0.0, 1.3.1, 1.1.10, 1.2.6
>         Attachments: HBASE-17717.001.patch
> Shreya was doing some testing of a deploy of HBase, verifying that the ZK ACLs were actually
set as we expect (yay, security).
> She noticed that, in some cases, we were seeing multiple ACLs for the same user.
> {noformat}
> 'world,'anyone
> : r
> 'sasl,'hbase
> : cdrwa
> 'sasl,'hbase
> : cdrwa
> {noformat}
> After digging into this (and some insight from the mighty [~enis]), we realized that
this was happening because of an overridden value for {{hbase.superuser}}. However, the ACL
value doesn't match what we'd expect to see (as hbase.superuser was set to {{cstm-hbase}}).
> After digging into this code, it seems like the {{auth}} ACL scheme in ZooKeeper does
not work as we expect.
> {code}
>       if (superUser != null) {
>         acls.add(new ACL(Perms.ALL, new Id("auth", superUser)));
>       }
> {code}
> In the above, the {{"auth"}} scheme ignores any provided "subject" in the {{Id}} object.
It *only* considers the authentication of the current connection. As such, our usage of this
never actually sets the ACL for the superuser correctly.

This message was sent by Atlassian JIRA

View raw message