You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hbase.apache.org by "ramkrishna.s.vasudevan (JIRA)" <ji...@apache.org> on 2013/03/28 19:11:17 UTC
[jira] [Commented] (HBASE-8213) global authorization may lose
efficacy
[ https://issues.apache.org/jira/browse/HBASE-8213?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13616491#comment-13616491 ]
ramkrishna.s.vasudevan commented on HBASE-8213:
-----------------------------------------------
Nice find Jieshan.
> global authorization may lose efficacy
> ---------------------------------------
>
> Key: HBASE-8213
> URL: https://issues.apache.org/jira/browse/HBASE-8213
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.95.0, 0.96.0, 0.94.7
> Reporter: Jieshan Bean
> Assignee: Jieshan Bean
> Priority: Critical
>
> It depends on the order of which region be opened first.
> Suppose we have one 1 regionserver and only 1 user region REGION-A on this server, _acl_ region was on another regionserver. _acl_ was opened a few seconds before REGION-A.
> The global authorization data read from Zookeeper was overwritten by the data read from configuration.
> {code}
> private TableAuthManager(ZooKeeperWatcher watcher, Configuration conf)
> throws IOException {
> this.conf = conf;
> this.zkperms = new ZKPermissionWatcher(watcher, this, conf);
> try {
> // Read global authorization data from zookeeper.
> this.zkperms.start();
> } catch (KeeperException ke) {
> LOG.error("ZooKeeper initialization failed", ke);
> }
> // It will overwrite globalCache.
> // initialize global permissions based on configuration
> globalCache = initGlobal(conf);
> }
> {code}
> This issue can be easily reproduced by below steps:
> 1. Start a cluster with 3 regionservers.
> 2. Create a new table T1.
> 3. grant a new user USER-A with global authorization.
> 4. Kill 1 regionserver RS3 and switch balance off.
> 5. Start regionserver RS3.
> 6. Assign region T1 to RS3.
> 7. Put data with user USER-A.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira