hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "lujie (Jira)" <j...@apache.org>
Subject [jira] [Updated] (HBASE-25407) list_regions make potential sensitive information disclosure
Date Fri, 18 Dec 2020 05:09:00 GMT

     [ https://issues.apache.org/jira/browse/HBASE-25407?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

lujie updated HBASE-25407:
--------------------------
    Description: 
I found that I can get other users' region information which is not expected.
  
 For example i create a table as sysadmin, then I can read the region information as user1.
 !image-2020-12-18-13-00-20-126.png!
  
 I have found that list_regions is introduced by https://issues.apache.org/jira/browse/HBASE-14925

 

we can also get the region info by rest  

 

!image-2020-12-18-13-07-00-777.png!

 
I am just confused about why there  is no ACL on the regions, because  i think we expose
more informaiton, we will be in more danger case, and even be attacked by others. 
 

  was:
I found that I can get other users' region information which is not expected.
 
For example i create a table as sysadmin, then I can read the region information as user1.
!image-2020-12-18-13-00-20-126.png!
 
I have found that list_regions is introduced by https://issues.apache.org/jira/browse/HBASE-14925


> list_regions make potential sensitive information disclosure
> ------------------------------------------------------------
>
>                 Key: HBASE-25407
>                 URL: https://issues.apache.org/jira/browse/HBASE-25407
>             Project: HBase
>          Issue Type: Bug
>            Reporter: lujie
>            Priority: Critical
>         Attachments: image-2020-12-18-13-00-20-126.png, image-2020-12-18-13-07-00-777.png
>
>
> I found that I can get other users' region information which is not expected.
>   
>  For example i create a table as sysadmin, then I can read the region information as
user1.
>  !image-2020-12-18-13-00-20-126.png!
>   
>  I have found that list_regions is introduced by https://issues.apache.org/jira/browse/HBASE-14925
>  
> we can also get the region info by rest  
>  
> !image-2020-12-18-13-07-00-777.png!
>  
> I am just confused about why there  is no ACL on the regions, because  i think we expose
more informaiton, we will be in more danger case, and even be attacked by others. 
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message