hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Josh Elser (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-18323) Remove multiple ACLs for the same user in kerberos
Date Thu, 06 Jul 2017 14:55:00 GMT

    [ https://issues.apache.org/jira/browse/HBASE-18323?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16076635#comment-16076635
] 

Josh Elser commented on HBASE-18323:
------------------------------------

bq.  why we use Ids.CREATOR_ALL_ACL ? maybe ,it's reasonable for user to set the servcie user
the same as superuser.

We use CREATOR_ALL_ACL to signify that the user creating the ZNode (the HBase "service") should
have permission to do everything to that node.

bq. If we set the service user not the same as superuser , this service user may be add to
znode acl 

Exactly. The typical case is that there is one superuser which is the same as the "service"
user. However, there may be other cases where the service user is not explicitly listed as
a superuser. In this case, the service user should still have full access to the znodes it
creates. It is a semantic point that CREATOR_ALL_ACL should be used as that is what we're
ultimately granting permissions on.

> Remove multiple ACLs for the same user in kerberos
> --------------------------------------------------
>
>                 Key: HBASE-18323
>                 URL: https://issues.apache.org/jira/browse/HBASE-18323
>             Project: HBase
>          Issue Type: Bug
>    Affects Versions: 1.2.0, 3.0.0
>            Reporter: Shibin Zhang
>            Priority: Minor
>         Attachments: HBASE-18323.patch, HBASE-18323-V2.patch, HBASE-18323-V3.patch
>
>
> When deploy hbase in kerberos way ,there will be multiple acls in znode :
> 'world,'anyone
> : r
> 'sasl,'hbase
> : cdrwa
> 'sasl,'hbase
> : cdrwa
> I also see the related issue and apply the patch, like  https://issues.apache.org/jira/browse/HBASE-17717

> but in my environment ,this situation still appear,
> After dig into the code , i found the reason in source code  ZKUtil.createAcl  is
>  if (zkw.isClientReadable(node)) {
>         LOG.error("isSecureZooKeeper user: clientReadable");
>         acls.addAll(Ids.CREATOR_ALL_ACL);
>         acls.addAll(Ids.READ_ACL_UNSAFE);
>       } else {
>         LOG.error("isSecureZooKeeper user: clientReadable no");
>         acls.addAll(Ids.CREATOR_ALL_ACL);
>       } 
>   acls.addAll(Ids.CREATOR_ALL_ACL);   
>   
>   Id AUTH_IDS = new Id("auth", "");
> ArrayList<ACL> CREATOR_ALL_ACL = new ArrayList(Collections.singletonList(new ACL(31,
AUTH_IDS)));
> AUTH_IDS   with  "auth " will result  current connection auth user  add to znode acl
,
> so it will appear multiple acls for same users.
> I think this line of code  we can remove  :  acls.addAll(Ids.CREATOR_ALL_ACL);   



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message