hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Shibin Zhang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-18323) Remove multiple ACLs for the same user in kerberos
Date Fri, 21 Jul 2017 03:57:01 GMT

    [ https://issues.apache.org/jira/browse/HBASE-18323?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16095738#comment-16095738
] 

Shibin Zhang commented on HBASE-18323:
--------------------------------------

[~elserj]  sorry to feedback so late,  could you help me codereview , how about this way :
 String hbaseUser = null;
     {color:#d04437} try {
            hbaseUser = UserGroupInformation.getCurrentUser().getShortUserName();
      } catch (IOException e) {
        LOG.warn("Current Service User could not get.", e);
      }{color}
      if (superUsers != null) {
        List<String> groups = new ArrayList<>();
        for (String user : superUsers) {
          if (AuthUtil.isGroupPrincipal(user)) {
            // TODO: Set node ACL for groups when ZK supports this feature
            groups.add(user);
          } else {
          {color:#d04437}  if(!user.equals(hbaseUser)) {
              acls.add(new ACL(Perms.ALL, new Id("sasl", user)));
            }{color}
          }
        }
        if (!groups.isEmpty(){color:#d04437}colored text{color}) {
          LOG.warn("Znode ACL setting for group " + groups
              + " is skipped, ZooKeeper doesn't support this feature presently.");
        }
      }

> Remove multiple ACLs for the same user in kerberos
> --------------------------------------------------
>
>                 Key: HBASE-18323
>                 URL: https://issues.apache.org/jira/browse/HBASE-18323
>             Project: HBase
>          Issue Type: Bug
>    Affects Versions: 1.2.0, 3.0.0
>            Reporter: Shibin Zhang
>            Priority: Minor
>         Attachments: HBASE-18323.patch, HBASE-18323-V2.patch, HBASE-18323-V3.patch
>
>
> When deploy hbase in kerberos way ,there will be multiple acls in znode :
> 'world,'anyone
> : r
> 'sasl,'hbase
> : cdrwa
> 'sasl,'hbase
> : cdrwa
> I also see the related issue and apply the patch, like  https://issues.apache.org/jira/browse/HBASE-17717

> but in my environment ,this situation still appear,
> After dig into the code , i found the reason in source code  ZKUtil.createAcl  is
>  if (zkw.isClientReadable(node)) {
>         LOG.error("isSecureZooKeeper user: clientReadable");
>         acls.addAll(Ids.CREATOR_ALL_ACL);
>         acls.addAll(Ids.READ_ACL_UNSAFE);
>       } else {
>         LOG.error("isSecureZooKeeper user: clientReadable no");
>         acls.addAll(Ids.CREATOR_ALL_ACL);
>       } 
>   acls.addAll(Ids.CREATOR_ALL_ACL);   
>   
>   Id AUTH_IDS = new Id("auth", "");
> ArrayList<ACL> CREATOR_ALL_ACL = new ArrayList(Collections.singletonList(new ACL(31,
AUTH_IDS)));
> AUTH_IDS   with  "auth " will result  current connection auth user  add to znode acl
,
> so it will appear multiple acls for same users.
> I think this line of code  we can remove  :  acls.addAll(Ids.CREATOR_ALL_ACL);   



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message