You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hbase.apache.org by "Aleksandr Shulman (JIRA)" <ji...@apache.org> on 2013/11/14 20:11:21 UTC
[jira] [Created] (HBASE-9973) [ACL]: Users with 'Admin' ACL
permission will lose permissions after upgrade to 0.96.x from 0.94.x or
0.92.x
Aleksandr Shulman created HBASE-9973:
----------------------------------------
Summary: [ACL]: Users with 'Admin' ACL permission will lose permissions after upgrade to 0.96.x from 0.94.x or 0.92.x
Key: HBASE-9973
URL: https://issues.apache.org/jira/browse/HBASE-9973
Project: HBase
Issue Type: Bug
Components: security
Affects Versions: 0.96.0, 0.96.1
Reporter: Aleksandr Shulman
Fix For: 0.96.1
In our testing, we have uncovered that the ACL permissions for users with the 'A' credential do not hold after the upgrade to 0.96.x.
This is because in the ACL table, the entry for the admin user is a permission on the '_acl_' table with permission 'A'. However, because of the namespace transition, there is no longer an '_acl_' table. Therefore, that entry in the hbase:acl table is no longer valid.
Example:
{code}hbase(main):002:0> scan 'hbase:acl'
ROW COLUMN+CELL
TestTable column=l:hdfs, timestamp=1384454830701, value=RW
TestTable column=l:root, timestamp=1384455875586, value=RWCA
_acl_ column=l:root, timestamp=1384454767568, value=C
_acl_ column=l:tableAdmin, timestamp=1384454788035, value=A
hbase:acl column=l:root, timestamp=1384455875786, value=C
{code}
In this case, the following entry becomes meaningless:
{code} _acl_ column=l:tableAdmin, timestamp=1384454788035, value=A {code}
As a result,
Proposed fix:
I see the fix being relatively straightforward. As part of the migration, change any entries in the '_acl_' table with key '_acl_' into a new row with key 'hbase:acl', all else being the same. And the old entry would be deleted.
This can go into the standard migration script that we expect users to run.
--
This message was sent by Atlassian JIRA
(v6.1#6144)