You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hbase.apache.org by "Anoop Sam John (JIRA)" <ji...@apache.org> on 2012/05/23 06:26:40 UTC
[jira] [Created] (HBASE-6068) Secure HBase cluster : Client not
able to call some admin APIs
Anoop Sam John created HBASE-6068:
-------------------------------------
Summary: Secure HBase cluster : Client not able to call some admin APIs
Key: HBASE-6068
URL: https://issues.apache.org/jira/browse/HBASE-6068
Project: HBase
Issue Type: Bug
Components: security
Affects Versions: 0.94.0
Reporter: Anoop Sam John
In case of secure cluster, we allow the HBase clients to read the zk nodes by providing the global read permissions to all for certain nodes. These nodes are the master address znode, root server znode and the clusterId znode. In ZKUtil.createACL() , we can see these node names are specially handled.
But there are some other client side admin APIs which makes a read call into the zookeeper from the client. This include the isTableEnabled() call (May be some other. I have seen this). Here the client directly reads a node in the zookeeper ( node created for this table ) and the data is matched to know whether this is enabled or not.
Now in secure cluster case any client can read zookeeper nodes which it needs for its normal operation like the master address and root server address. But what if the client calls this API? [isTableEnaled () ].
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-6068) Secure HBase cluster : Client not
able to call some admin APIs
Posted by "stack (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6068?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
stack updated HBASE-6068:
-------------------------
Resolution: Fixed
Fix Version/s: 0.94.1
0.92.2
Hadoop Flags: Reviewed
Status: Resolved (was: Patch Available)
> Secure HBase cluster : Client not able to call some admin APIs
> --------------------------------------------------------------
>
> Key: HBASE-6068
> URL: https://issues.apache.org/jira/browse/HBASE-6068
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.92.1, 0.94.0, 0.96.0
> Reporter: Anoop Sam John
> Assignee: Matteo Bertozzi
> Fix For: 0.92.2, 0.94.1
>
> Attachments: HBASE-6068-v0.patch, HBASE-6068-v1.patch, HBASE-6068-v2.patch, HBASE-6068-v3.patch
>
>
> In case of secure cluster, we allow the HBase clients to read the zk nodes by providing the global read permissions to all for certain nodes. These nodes are the master address znode, root server znode and the clusterId znode. In ZKUtil.createACL() , we can see these node names are specially handled.
> But there are some other client side admin APIs which makes a read call into the zookeeper from the client. This include the isTableEnabled() call (May be some other. I have seen this). Here the client directly reads a node in the zookeeper ( node created for this table ) and the data is matched to know whether this is enabled or not.
> Now in secure cluster case any client can read zookeeper nodes which it needs for its normal operation like the master address and root server address. But what if the client calls this API? [isTableEnaled () ].
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Assigned] (HBASE-6068) Secure HBase cluster : Client not
able to call some admin APIs
Posted by "Matteo Bertozzi (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6068?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Matteo Bertozzi reassigned HBASE-6068:
--------------------------------------
Assignee: Matteo Bertozzi
> Secure HBase cluster : Client not able to call some admin APIs
> --------------------------------------------------------------
>
> Key: HBASE-6068
> URL: https://issues.apache.org/jira/browse/HBASE-6068
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.94.0
> Reporter: Anoop Sam John
> Assignee: Matteo Bertozzi
>
> In case of secure cluster, we allow the HBase clients to read the zk nodes by providing the global read permissions to all for certain nodes. These nodes are the master address znode, root server znode and the clusterId znode. In ZKUtil.createACL() , we can see these node names are specially handled.
> But there are some other client side admin APIs which makes a read call into the zookeeper from the client. This include the isTableEnabled() call (May be some other. I have seen this). Here the client directly reads a node in the zookeeper ( node created for this table ) and the data is matched to know whether this is enabled or not.
> Now in secure cluster case any client can read zookeeper nodes which it needs for its normal operation like the master address and root server address. But what if the client calls this API? [isTableEnaled () ].
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-6068) Secure HBase cluster : Client not
able to call some admin APIs
Posted by "Matteo Bertozzi (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6068?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Matteo Bertozzi updated HBASE-6068:
-----------------------------------
Attachment: (was: HBASE-6068-v0.patch)
> Secure HBase cluster : Client not able to call some admin APIs
> --------------------------------------------------------------
>
> Key: HBASE-6068
> URL: https://issues.apache.org/jira/browse/HBASE-6068
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.92.1, 0.94.0, 0.96.0
> Reporter: Anoop Sam John
> Assignee: Matteo Bertozzi
> Attachments: HBASE-6068-v0.patch
>
>
> In case of secure cluster, we allow the HBase clients to read the zk nodes by providing the global read permissions to all for certain nodes. These nodes are the master address znode, root server znode and the clusterId znode. In ZKUtil.createACL() , we can see these node names are specially handled.
> But there are some other client side admin APIs which makes a read call into the zookeeper from the client. This include the isTableEnabled() call (May be some other. I have seen this). Here the client directly reads a node in the zookeeper ( node created for this table ) and the data is matched to know whether this is enabled or not.
> Now in secure cluster case any client can read zookeeper nodes which it needs for its normal operation like the master address and root server address. But what if the client calls this API? [isTableEnaled () ].
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6068) Secure HBase cluster : Client not
able to call some admin APIs
Posted by "stack (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6068?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13286076#comment-13286076 ]
stack commented on HBASE-6068:
------------------------------
Applied the 0.92 patch to 0.92 and 0.94 branches. Thanks Matteo.
> Secure HBase cluster : Client not able to call some admin APIs
> --------------------------------------------------------------
>
> Key: HBASE-6068
> URL: https://issues.apache.org/jira/browse/HBASE-6068
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.92.1, 0.94.0, 0.96.0
> Reporter: Anoop Sam John
> Assignee: Matteo Bertozzi
> Fix For: 0.92.2, 0.94.1
>
> Attachments: HBASE-6068-0.92.patch, HBASE-6068-v0.patch, HBASE-6068-v1.patch, HBASE-6068-v2.patch, HBASE-6068-v3.patch
>
>
> In case of secure cluster, we allow the HBase clients to read the zk nodes by providing the global read permissions to all for certain nodes. These nodes are the master address znode, root server znode and the clusterId znode. In ZKUtil.createACL() , we can see these node names are specially handled.
> But there are some other client side admin APIs which makes a read call into the zookeeper from the client. This include the isTableEnabled() call (May be some other. I have seen this). Here the client directly reads a node in the zookeeper ( node created for this table ) and the data is matched to know whether this is enabled or not.
> Now in secure cluster case any client can read zookeeper nodes which it needs for its normal operation like the master address and root server address. But what if the client calls this API? [isTableEnaled () ].
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-6068) Secure HBase cluster : Client not
able to call some admin APIs
Posted by "Matteo Bertozzi (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6068?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Matteo Bertozzi updated HBASE-6068:
-----------------------------------
Attachment: HBASE-6068-v3.patch
backupMasterAddressesZNode and rsZNode are checked just for Children. This doesn't require auth on children too.
> Secure HBase cluster : Client not able to call some admin APIs
> --------------------------------------------------------------
>
> Key: HBASE-6068
> URL: https://issues.apache.org/jira/browse/HBASE-6068
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.92.1, 0.94.0, 0.96.0
> Reporter: Anoop Sam John
> Assignee: Matteo Bertozzi
> Attachments: HBASE-6068-v0.patch, HBASE-6068-v1.patch, HBASE-6068-v2.patch, HBASE-6068-v3.patch
>
>
> In case of secure cluster, we allow the HBase clients to read the zk nodes by providing the global read permissions to all for certain nodes. These nodes are the master address znode, root server znode and the clusterId znode. In ZKUtil.createACL() , we can see these node names are specially handled.
> But there are some other client side admin APIs which makes a read call into the zookeeper from the client. This include the isTableEnabled() call (May be some other. I have seen this). Here the client directly reads a node in the zookeeper ( node created for this table ) and the data is matched to know whether this is enabled or not.
> Now in secure cluster case any client can read zookeeper nodes which it needs for its normal operation like the master address and root server address. But what if the client calls this API? [isTableEnaled () ].
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-6068) Secure HBase cluster : Client not
able to call some admin APIs
Posted by "Matteo Bertozzi (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6068?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Matteo Bertozzi updated HBASE-6068:
-----------------------------------
Attachment: HBASE-6068-v0.patch
> Secure HBase cluster : Client not able to call some admin APIs
> --------------------------------------------------------------
>
> Key: HBASE-6068
> URL: https://issues.apache.org/jira/browse/HBASE-6068
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.92.1, 0.94.0, 0.96.0
> Reporter: Anoop Sam John
> Assignee: Matteo Bertozzi
> Attachments: HBASE-6068-v0.patch
>
>
> In case of secure cluster, we allow the HBase clients to read the zk nodes by providing the global read permissions to all for certain nodes. These nodes are the master address znode, root server znode and the clusterId znode. In ZKUtil.createACL() , we can see these node names are specially handled.
> But there are some other client side admin APIs which makes a read call into the zookeeper from the client. This include the isTableEnabled() call (May be some other. I have seen this). Here the client directly reads a node in the zookeeper ( node created for this table ) and the data is matched to know whether this is enabled or not.
> Now in secure cluster case any client can read zookeeper nodes which it needs for its normal operation like the master address and root server address. But what if the client calls this API? [isTableEnaled () ].
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6068) Secure HBase cluster : Client not
able to call some admin APIs
Posted by "Hadoop QA (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6068?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13283704#comment-13283704 ]
Hadoop QA commented on HBASE-6068:
----------------------------------
-1 overall. Here are the results of testing the latest attachment
http://issues.apache.org/jira/secure/attachment/12529764/HBASE-6068-v1.patch
against trunk revision .
+1 @author. The patch does not contain any @author tags.
-1 tests included. The patch doesn't appear to include any new or modified tests.
Please justify why no new tests are needed for this patch.
Also please list what manual steps were performed to verify this patch.
+1 hadoop23. The patch compiles against the hadoop 0.23.x profile.
+1 javadoc. The javadoc tool did not generate any warning messages.
+1 javac. The applied patch does not increase the total number of javac compiler warnings.
-1 findbugs. The patch appears to introduce 33 new Findbugs (version 1.3.9) warnings.
+1 release audit. The applied patch does not increase the total number of release audit warnings.
-1 core tests. The patch failed these unit tests:
org.apache.hadoop.hbase.coprocessor.TestRegionServerCoprocessorExceptionWithAbort
Test results: https://builds.apache.org/job/PreCommit-HBASE-Build/2000//testReport/
Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/2000//artifact/trunk/patchprocess/newPatchFindbugsWarnings.html
Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/2000//console
This message is automatically generated.
> Secure HBase cluster : Client not able to call some admin APIs
> --------------------------------------------------------------
>
> Key: HBASE-6068
> URL: https://issues.apache.org/jira/browse/HBASE-6068
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.92.1, 0.94.0, 0.96.0
> Reporter: Anoop Sam John
> Assignee: Matteo Bertozzi
> Attachments: HBASE-6068-v0.patch, HBASE-6068-v1.patch
>
>
> In case of secure cluster, we allow the HBase clients to read the zk nodes by providing the global read permissions to all for certain nodes. These nodes are the master address znode, root server znode and the clusterId znode. In ZKUtil.createACL() , we can see these node names are specially handled.
> But there are some other client side admin APIs which makes a read call into the zookeeper from the client. This include the isTableEnabled() call (May be some other. I have seen this). Here the client directly reads a node in the zookeeper ( node created for this table ) and the data is matched to know whether this is enabled or not.
> Now in secure cluster case any client can read zookeeper nodes which it needs for its normal operation like the master address and root server address. But what if the client calls this API? [isTableEnaled () ].
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-6068) Secure HBase cluster : Client not
able to call some admin APIs
Posted by "Matteo Bertozzi (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6068?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Matteo Bertozzi updated HBASE-6068:
-----------------------------------
Attachment: HBASE-6068-v0.patch
Since certain znodes are accessed by the client directly they must be marked as readable by everyone.
HBaseAdmin.checkHBaseAvailable() -> /hbase
ZKTable.populateTableStates() -> /hbase/table/* znodes
> Secure HBase cluster : Client not able to call some admin APIs
> --------------------------------------------------------------
>
> Key: HBASE-6068
> URL: https://issues.apache.org/jira/browse/HBASE-6068
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.92.1, 0.94.0, 0.96.0
> Reporter: Anoop Sam John
> Assignee: Matteo Bertozzi
> Attachments: HBASE-6068-v0.patch
>
>
> In case of secure cluster, we allow the HBase clients to read the zk nodes by providing the global read permissions to all for certain nodes. These nodes are the master address znode, root server znode and the clusterId znode. In ZKUtil.createACL() , we can see these node names are specially handled.
> But there are some other client side admin APIs which makes a read call into the zookeeper from the client. This include the isTableEnabled() call (May be some other. I have seen this). Here the client directly reads a node in the zookeeper ( node created for this table ) and the data is matched to know whether this is enabled or not.
> Now in secure cluster case any client can read zookeeper nodes which it needs for its normal operation like the master address and root server address. But what if the client calls this API? [isTableEnaled () ].
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6068) Secure HBase cluster : Client not
able to call some admin APIs
Posted by "Matteo Bertozzi (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6068?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13282200#comment-13282200 ]
Matteo Bertozzi commented on HBASE-6068:
----------------------------------------
This is not related to acl coprocessor, global permission or table permission.
For non rootServer/maserAddress/clusterId zknodes ZKUtil.createACL()create acl for CREATOR_ALL_ACL... but the call to zookeeper is done by hbase and not by the current user.
So the owner of zookeeper node is "hbase" user and not the current user as checked in the acl coprocessor.
> Secure HBase cluster : Client not able to call some admin APIs
> --------------------------------------------------------------
>
> Key: HBASE-6068
> URL: https://issues.apache.org/jira/browse/HBASE-6068
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.94.0
> Reporter: Anoop Sam John
>
> In case of secure cluster, we allow the HBase clients to read the zk nodes by providing the global read permissions to all for certain nodes. These nodes are the master address znode, root server znode and the clusterId znode. In ZKUtil.createACL() , we can see these node names are specially handled.
> But there are some other client side admin APIs which makes a read call into the zookeeper from the client. This include the isTableEnabled() call (May be some other. I have seen this). Here the client directly reads a node in the zookeeper ( node created for this table ) and the data is matched to know whether this is enabled or not.
> Now in secure cluster case any client can read zookeeper nodes which it needs for its normal operation like the master address and root server address. But what if the client calls this API? [isTableEnaled () ].
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6068) Secure HBase cluster : Client not
able to call some admin APIs
Posted by "Hudson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6068?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13286209#comment-13286209 ]
Hudson commented on HBASE-6068:
-------------------------------
Integrated in HBase-TRUNK-on-Hadoop-2.0.0 #33 (See [https://builds.apache.org/job/HBase-TRUNK-on-Hadoop-2.0.0/33/])
HBASE-6068 Secure HBase cluster : Client not able to call some admin APIs (Revision 1344456)
Result = FAILURE
stack :
Files :
* /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
> Secure HBase cluster : Client not able to call some admin APIs
> --------------------------------------------------------------
>
> Key: HBASE-6068
> URL: https://issues.apache.org/jira/browse/HBASE-6068
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.92.1, 0.94.0, 0.96.0
> Reporter: Anoop Sam John
> Assignee: Matteo Bertozzi
> Fix For: 0.92.2, 0.94.1
>
> Attachments: HBASE-6068-0.92.patch, HBASE-6068-v0.patch, HBASE-6068-v1.patch, HBASE-6068-v2.patch, HBASE-6068-v3.patch
>
>
> In case of secure cluster, we allow the HBase clients to read the zk nodes by providing the global read permissions to all for certain nodes. These nodes are the master address znode, root server znode and the clusterId znode. In ZKUtil.createACL() , we can see these node names are specially handled.
> But there are some other client side admin APIs which makes a read call into the zookeeper from the client. This include the isTableEnabled() call (May be some other. I have seen this). Here the client directly reads a node in the zookeeper ( node created for this table ) and the data is matched to know whether this is enabled or not.
> Now in secure cluster case any client can read zookeeper nodes which it needs for its normal operation like the master address and root server address. But what if the client calls this API? [isTableEnaled () ].
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6068) Secure HBase cluster : Client not
able to call some admin APIs
Posted by "Hudson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6068?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13286167#comment-13286167 ]
Hudson commented on HBASE-6068:
-------------------------------
Integrated in HBase-0.94 #236 (See [https://builds.apache.org/job/HBase-0.94/236/])
HBASE-6068 Secure HBase cluster : Client not able to call some admin APIs (Revision 1344472)
Result = SUCCESS
stack :
Files :
* /hbase/branches/0.94/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
> Secure HBase cluster : Client not able to call some admin APIs
> --------------------------------------------------------------
>
> Key: HBASE-6068
> URL: https://issues.apache.org/jira/browse/HBASE-6068
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.92.1, 0.94.0, 0.96.0
> Reporter: Anoop Sam John
> Assignee: Matteo Bertozzi
> Fix For: 0.92.2, 0.94.1
>
> Attachments: HBASE-6068-0.92.patch, HBASE-6068-v0.patch, HBASE-6068-v1.patch, HBASE-6068-v2.patch, HBASE-6068-v3.patch
>
>
> In case of secure cluster, we allow the HBase clients to read the zk nodes by providing the global read permissions to all for certain nodes. These nodes are the master address znode, root server znode and the clusterId znode. In ZKUtil.createACL() , we can see these node names are specially handled.
> But there are some other client side admin APIs which makes a read call into the zookeeper from the client. This include the isTableEnabled() call (May be some other. I have seen this). Here the client directly reads a node in the zookeeper ( node created for this table ) and the data is matched to know whether this is enabled or not.
> Now in secure cluster case any client can read zookeeper nodes which it needs for its normal operation like the master address and root server address. But what if the client calls this API? [isTableEnaled () ].
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6068) Secure HBase cluster : Client not
able to call some admin APIs
Posted by "Hudson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6068?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13287173#comment-13287173 ]
Hudson commented on HBASE-6068:
-------------------------------
Integrated in HBase-0.94-security #33 (See [https://builds.apache.org/job/HBase-0.94-security/33/])
HBASE-6068 Secure HBase cluster : Client not able to call some admin APIs (Revision 1344472)
Result = FAILURE
stack :
Files :
* /hbase/branches/0.94/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
> Secure HBase cluster : Client not able to call some admin APIs
> --------------------------------------------------------------
>
> Key: HBASE-6068
> URL: https://issues.apache.org/jira/browse/HBASE-6068
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.92.1, 0.94.0, 0.96.0
> Reporter: Anoop Sam John
> Assignee: Matteo Bertozzi
> Fix For: 0.92.2, 0.94.1
>
> Attachments: HBASE-6068-0.92.patch, HBASE-6068-v0.patch, HBASE-6068-v1.patch, HBASE-6068-v2.patch, HBASE-6068-v3.patch
>
>
> In case of secure cluster, we allow the HBase clients to read the zk nodes by providing the global read permissions to all for certain nodes. These nodes are the master address znode, root server znode and the clusterId znode. In ZKUtil.createACL() , we can see these node names are specially handled.
> But there are some other client side admin APIs which makes a read call into the zookeeper from the client. This include the isTableEnabled() call (May be some other. I have seen this). Here the client directly reads a node in the zookeeper ( node created for this table ) and the data is matched to know whether this is enabled or not.
> Now in secure cluster case any client can read zookeeper nodes which it needs for its normal operation like the master address and root server address. But what if the client calls this API? [isTableEnaled () ].
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-6068) Secure HBase cluster : Client not
able to call some admin APIs
Posted by "Matteo Bertozzi (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6068?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Matteo Bertozzi updated HBASE-6068:
-----------------------------------
Attachment: HBASE-6068-v2.patch
rebase after trunk modularization HBASE-4336
> Secure HBase cluster : Client not able to call some admin APIs
> --------------------------------------------------------------
>
> Key: HBASE-6068
> URL: https://issues.apache.org/jira/browse/HBASE-6068
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.92.1, 0.94.0, 0.96.0
> Reporter: Anoop Sam John
> Assignee: Matteo Bertozzi
> Attachments: HBASE-6068-v0.patch, HBASE-6068-v1.patch, HBASE-6068-v2.patch
>
>
> In case of secure cluster, we allow the HBase clients to read the zk nodes by providing the global read permissions to all for certain nodes. These nodes are the master address znode, root server znode and the clusterId znode. In ZKUtil.createACL() , we can see these node names are specially handled.
> But there are some other client side admin APIs which makes a read call into the zookeeper from the client. This include the isTableEnabled() call (May be some other. I have seen this). Here the client directly reads a node in the zookeeper ( node created for this table ) and the data is matched to know whether this is enabled or not.
> Now in secure cluster case any client can read zookeeper nodes which it needs for its normal operation like the master address and root server address. But what if the client calls this API? [isTableEnaled () ].
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6068) Secure HBase cluster : Client not
able to call some admin APIs
Posted by "Matteo Bertozzi (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6068?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13283609#comment-13283609 ]
Matteo Bertozzi commented on HBASE-6068:
----------------------------------------
HBaseAdmin.checkHBaseAvailable() -> exists() /hbase
ZKTable.populateTableStates() -> listChildrenNoWatch() /hbase/table/* znodes
ZKTable.getTableState() -> getData() /hbase/table/<table name>
HConnectionManager.getCurrentNrHRS() -> getNumberOfChildren() -> /hbase/rs/
> Secure HBase cluster : Client not able to call some admin APIs
> --------------------------------------------------------------
>
> Key: HBASE-6068
> URL: https://issues.apache.org/jira/browse/HBASE-6068
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.92.1, 0.94.0, 0.96.0
> Reporter: Anoop Sam John
> Assignee: Matteo Bertozzi
> Attachments: HBASE-6068-v0.patch
>
>
> In case of secure cluster, we allow the HBase clients to read the zk nodes by providing the global read permissions to all for certain nodes. These nodes are the master address znode, root server znode and the clusterId znode. In ZKUtil.createACL() , we can see these node names are specially handled.
> But there are some other client side admin APIs which makes a read call into the zookeeper from the client. This include the isTableEnabled() call (May be some other. I have seen this). Here the client directly reads a node in the zookeeper ( node created for this table ) and the data is matched to know whether this is enabled or not.
> Now in secure cluster case any client can read zookeeper nodes which it needs for its normal operation like the master address and root server address. But what if the client calls this API? [isTableEnaled () ].
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6068) Secure HBase cluster : Client not
able to call some admin APIs
Posted by "ramkrishna.s.vasudevan (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6068?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13283614#comment-13283614 ]
ramkrishna.s.vasudevan commented on HBASE-6068:
-----------------------------------------------
@Matteo
Thanks for bringing out similar cases that deals with ZK.
> Secure HBase cluster : Client not able to call some admin APIs
> --------------------------------------------------------------
>
> Key: HBASE-6068
> URL: https://issues.apache.org/jira/browse/HBASE-6068
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.92.1, 0.94.0, 0.96.0
> Reporter: Anoop Sam John
> Assignee: Matteo Bertozzi
> Attachments: HBASE-6068-v0.patch
>
>
> In case of secure cluster, we allow the HBase clients to read the zk nodes by providing the global read permissions to all for certain nodes. These nodes are the master address znode, root server znode and the clusterId znode. In ZKUtil.createACL() , we can see these node names are specially handled.
> But there are some other client side admin APIs which makes a read call into the zookeeper from the client. This include the isTableEnabled() call (May be some other. I have seen this). Here the client directly reads a node in the zookeeper ( node created for this table ) and the data is matched to know whether this is enabled or not.
> Now in secure cluster case any client can read zookeeper nodes which it needs for its normal operation like the master address and root server address. But what if the client calls this API? [isTableEnaled () ].
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6068) Secure HBase cluster : Client not
able to call some admin APIs
Posted by "Laxman (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6068?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13281616#comment-13281616 ]
Laxman commented on HBASE-6068:
-------------------------------
#1 & #2 refers to the issues in my previous comment.
#1 is due to restricted access to znodes. To fix this we may need some design changes in handling znodes.
#2 is due to the wrong check in AC (AccessController). Handled as part of HBASE-6061.
> Secure HBase cluster : Client not able to call some admin APIs
> --------------------------------------------------------------
>
> Key: HBASE-6068
> URL: https://issues.apache.org/jira/browse/HBASE-6068
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.94.0
> Reporter: Anoop Sam John
>
> In case of secure cluster, we allow the HBase clients to read the zk nodes by providing the global read permissions to all for certain nodes. These nodes are the master address znode, root server znode and the clusterId znode. In ZKUtil.createACL() , we can see these node names are specially handled.
> But there are some other client side admin APIs which makes a read call into the zookeeper from the client. This include the isTableEnabled() call (May be some other. I have seen this). Here the client directly reads a node in the zookeeper ( node created for this table ) and the data is matched to know whether this is enabled or not.
> Now in secure cluster case any client can read zookeeper nodes which it needs for its normal operation like the master address and root server address. But what if the client calls this API? [isTableEnaled () ].
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6068) Secure HBase cluster : Client not
able to call some admin APIs
Posted by "Matteo Bertozzi (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6068?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13284992#comment-13284992 ]
Matteo Bertozzi commented on HBASE-6068:
----------------------------------------
any comments/thoughts on this patch?
> Secure HBase cluster : Client not able to call some admin APIs
> --------------------------------------------------------------
>
> Key: HBASE-6068
> URL: https://issues.apache.org/jira/browse/HBASE-6068
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.92.1, 0.94.0, 0.96.0
> Reporter: Anoop Sam John
> Assignee: Matteo Bertozzi
> Attachments: HBASE-6068-v0.patch, HBASE-6068-v1.patch, HBASE-6068-v2.patch, HBASE-6068-v3.patch
>
>
> In case of secure cluster, we allow the HBase clients to read the zk nodes by providing the global read permissions to all for certain nodes. These nodes are the master address znode, root server znode and the clusterId znode. In ZKUtil.createACL() , we can see these node names are specially handled.
> But there are some other client side admin APIs which makes a read call into the zookeeper from the client. This include the isTableEnabled() call (May be some other. I have seen this). Here the client directly reads a node in the zookeeper ( node created for this table ) and the data is matched to know whether this is enabled or not.
> Now in secure cluster case any client can read zookeeper nodes which it needs for its normal operation like the master address and root server address. But what if the client calls this API? [isTableEnaled () ].
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6068) Secure HBase cluster : Client not
able to call some admin APIs
Posted by "Laxman (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6068?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13281624#comment-13281624 ]
Laxman commented on HBASE-6068:
-------------------------------
bq. #2 is due to the wrong check in AC (AccessController). Handled as part of HBASE-6061.
Gone through the HBASE-6061 patch. It addresses a different problem. We actually need to check for table permissions instead of global permissions here.
{code}
+ private void requireTableAdminPermission(MasterCoprocessorEnvironment e,
+ byte[] tableName) throws IOException {
+ if (isActiveUserTableOwner(e, tableName)) {
+ requirePermission(Permission.Action.CREATE);
+ } else {
+ requirePermission(Permission.Action.ADMIN);
+ }
+ }
{code}
I think this needs to be handled as separate jira.
> Secure HBase cluster : Client not able to call some admin APIs
> --------------------------------------------------------------
>
> Key: HBASE-6068
> URL: https://issues.apache.org/jira/browse/HBASE-6068
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.94.0
> Reporter: Anoop Sam John
>
> In case of secure cluster, we allow the HBase clients to read the zk nodes by providing the global read permissions to all for certain nodes. These nodes are the master address znode, root server znode and the clusterId znode. In ZKUtil.createACL() , we can see these node names are specially handled.
> But there are some other client side admin APIs which makes a read call into the zookeeper from the client. This include the isTableEnabled() call (May be some other. I have seen this). Here the client directly reads a node in the zookeeper ( node created for this table ) and the data is matched to know whether this is enabled or not.
> Now in secure cluster case any client can read zookeeper nodes which it needs for its normal operation like the master address and root server address. But what if the client calls this API? [isTableEnaled () ].
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6068) Secure HBase cluster : Client not
able to call some admin APIs
Posted by "Andrew Purtell (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6068?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13286022#comment-13286022 ]
Andrew Purtell commented on HBASE-6068:
---------------------------------------
+1 on the latest patch. I'll open another JIRA on the question of should we tighten up client need for znodes anywhere.
> Secure HBase cluster : Client not able to call some admin APIs
> --------------------------------------------------------------
>
> Key: HBASE-6068
> URL: https://issues.apache.org/jira/browse/HBASE-6068
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.92.1, 0.94.0, 0.96.0
> Reporter: Anoop Sam John
> Assignee: Matteo Bertozzi
> Attachments: HBASE-6068-v0.patch, HBASE-6068-v1.patch, HBASE-6068-v2.patch, HBASE-6068-v3.patch
>
>
> In case of secure cluster, we allow the HBase clients to read the zk nodes by providing the global read permissions to all for certain nodes. These nodes are the master address znode, root server znode and the clusterId znode. In ZKUtil.createACL() , we can see these node names are specially handled.
> But there are some other client side admin APIs which makes a read call into the zookeeper from the client. This include the isTableEnabled() call (May be some other. I have seen this). Here the client directly reads a node in the zookeeper ( node created for this table ) and the data is matched to know whether this is enabled or not.
> Now in secure cluster case any client can read zookeeper nodes which it needs for its normal operation like the master address and root server address. But what if the client calls this API? [isTableEnaled () ].
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6068) Secure HBase cluster : Client not
able to call some admin APIs
Posted by "Hadoop QA (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6068?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13283634#comment-13283634 ]
Hadoop QA commented on HBASE-6068:
----------------------------------
-1 overall. Here are the results of testing the latest attachment
http://issues.apache.org/jira/secure/attachment/12529749/HBASE-6068-v0.patch
against trunk revision .
+1 @author. The patch does not contain any @author tags.
-1 tests included. The patch doesn't appear to include any new or modified tests.
Please justify why no new tests are needed for this patch.
Also please list what manual steps were performed to verify this patch.
+1 hadoop23. The patch compiles against the hadoop 0.23.x profile.
+1 javadoc. The javadoc tool did not generate any warning messages.
+1 javac. The applied patch does not increase the total number of javac compiler warnings.
-1 findbugs. The patch appears to introduce 33 new Findbugs (version 1.3.9) warnings.
+1 release audit. The applied patch does not increase the total number of release audit warnings.
+1 core tests. The patch passed unit tests in .
Test results: https://builds.apache.org/job/PreCommit-HBASE-Build/1997//testReport/
Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/1997//artifact/trunk/patchprocess/newPatchFindbugsWarnings.html
Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/1997//console
This message is automatically generated.
> Secure HBase cluster : Client not able to call some admin APIs
> --------------------------------------------------------------
>
> Key: HBASE-6068
> URL: https://issues.apache.org/jira/browse/HBASE-6068
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.92.1, 0.94.0, 0.96.0
> Reporter: Anoop Sam John
> Assignee: Matteo Bertozzi
> Attachments: HBASE-6068-v0.patch
>
>
> In case of secure cluster, we allow the HBase clients to read the zk nodes by providing the global read permissions to all for certain nodes. These nodes are the master address znode, root server znode and the clusterId znode. In ZKUtil.createACL() , we can see these node names are specially handled.
> But there are some other client side admin APIs which makes a read call into the zookeeper from the client. This include the isTableEnabled() call (May be some other. I have seen this). Here the client directly reads a node in the zookeeper ( node created for this table ) and the data is matched to know whether this is enabled or not.
> Now in secure cluster case any client can read zookeeper nodes which it needs for its normal operation like the master address and root server address. But what if the client calls this API? [isTableEnaled () ].
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-6068) Secure HBase cluster : Client not
able to call some admin APIs
Posted by "stack (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6068?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
stack updated HBASE-6068:
-------------------------
Fix Version/s: (was: 0.96.0)
0.94.1
0.92.2
> Secure HBase cluster : Client not able to call some admin APIs
> --------------------------------------------------------------
>
> Key: HBASE-6068
> URL: https://issues.apache.org/jira/browse/HBASE-6068
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.92.1, 0.94.0, 0.96.0
> Reporter: Anoop Sam John
> Assignee: Matteo Bertozzi
> Fix For: 0.92.2, 0.94.1
>
> Attachments: HBASE-6068-0.92.patch, HBASE-6068-v0.patch, HBASE-6068-v1.patch, HBASE-6068-v2.patch, HBASE-6068-v3.patch
>
>
> In case of secure cluster, we allow the HBase clients to read the zk nodes by providing the global read permissions to all for certain nodes. These nodes are the master address znode, root server znode and the clusterId znode. In ZKUtil.createACL() , we can see these node names are specially handled.
> But there are some other client side admin APIs which makes a read call into the zookeeper from the client. This include the isTableEnabled() call (May be some other. I have seen this). Here the client directly reads a node in the zookeeper ( node created for this table ) and the data is matched to know whether this is enabled or not.
> Now in secure cluster case any client can read zookeeper nodes which it needs for its normal operation like the master address and root server address. But what if the client calls this API? [isTableEnaled () ].
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6068) Secure HBase cluster : Client not
able to call some admin APIs
Posted by "Hadoop QA (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6068?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13283643#comment-13283643 ]
Hadoop QA commented on HBASE-6068:
----------------------------------
-1 overall. Here are the results of testing the latest attachment
http://issues.apache.org/jira/secure/attachment/12529753/HBASE-6068-v0.patch
against trunk revision .
+1 @author. The patch does not contain any @author tags.
-1 tests included. The patch doesn't appear to include any new or modified tests.
Please justify why no new tests are needed for this patch.
Also please list what manual steps were performed to verify this patch.
+1 hadoop23. The patch compiles against the hadoop 0.23.x profile.
+1 javadoc. The javadoc tool did not generate any warning messages.
+1 javac. The applied patch does not increase the total number of javac compiler warnings.
-1 findbugs. The patch appears to introduce 33 new Findbugs (version 1.3.9) warnings.
+1 release audit. The applied patch does not increase the total number of release audit warnings.
+1 core tests. The patch passed unit tests in .
Test results: https://builds.apache.org/job/PreCommit-HBASE-Build/1998//testReport/
Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/1998//artifact/trunk/patchprocess/newPatchFindbugsWarnings.html
Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/1998//console
This message is automatically generated.
> Secure HBase cluster : Client not able to call some admin APIs
> --------------------------------------------------------------
>
> Key: HBASE-6068
> URL: https://issues.apache.org/jira/browse/HBASE-6068
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.92.1, 0.94.0, 0.96.0
> Reporter: Anoop Sam John
> Assignee: Matteo Bertozzi
> Attachments: HBASE-6068-v0.patch
>
>
> In case of secure cluster, we allow the HBase clients to read the zk nodes by providing the global read permissions to all for certain nodes. These nodes are the master address znode, root server znode and the clusterId znode. In ZKUtil.createACL() , we can see these node names are specially handled.
> But there are some other client side admin APIs which makes a read call into the zookeeper from the client. This include the isTableEnabled() call (May be some other. I have seen this). Here the client directly reads a node in the zookeeper ( node created for this table ) and the data is matched to know whether this is enabled or not.
> Now in secure cluster case any client can read zookeeper nodes which it needs for its normal operation like the master address and root server address. But what if the client calls this API? [isTableEnaled () ].
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6068) Secure HBase cluster : Client not
able to call some admin APIs
Posted by "Anoop Sam John (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6068?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13281397#comment-13281397 ]
Anoop Sam John commented on HBASE-6068:
---------------------------------------
HBaseAdmin
isTableEnabled()
isTableEnabled()
disableTable()
These APIs will have the problem. All these making a call to HConnectionManagerImpl.testTableOnlineState(byte [] tableName, boolean online), which in turn try to read from ZK
Will read the path /hbase/table/<tabName> for which there is no global read permission
> Secure HBase cluster : Client not able to call some admin APIs
> --------------------------------------------------------------
>
> Key: HBASE-6068
> URL: https://issues.apache.org/jira/browse/HBASE-6068
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.94.0
> Reporter: Anoop Sam John
>
> In case of secure cluster, we allow the HBase clients to read the zk nodes by providing the global read permissions to all for certain nodes. These nodes are the master address znode, root server znode and the clusterId znode. In ZKUtil.createACL() , we can see these node names are specially handled.
> But there are some other client side admin APIs which makes a read call into the zookeeper from the client. This include the isTableEnabled() call (May be some other. I have seen this). Here the client directly reads a node in the zookeeper ( node created for this table ) and the data is matched to know whether this is enabled or not.
> Now in secure cluster case any client can read zookeeper nodes which it needs for its normal operation like the master address and root server address. But what if the client calls this API? [isTableEnaled () ].
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-6068) Secure HBase cluster : Client not
able to call some admin APIs
Posted by "Matteo Bertozzi (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6068?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Matteo Bertozzi updated HBASE-6068:
-----------------------------------
Attachment: HBASE-6068-v1.patch
Missed one in the list, hbase shell call Zookeeper directly on zk_dump command
zk_dump -> listChildrenNoWatch() /hbase/backup-masters/*
> Secure HBase cluster : Client not able to call some admin APIs
> --------------------------------------------------------------
>
> Key: HBASE-6068
> URL: https://issues.apache.org/jira/browse/HBASE-6068
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.92.1, 0.94.0, 0.96.0
> Reporter: Anoop Sam John
> Assignee: Matteo Bertozzi
> Attachments: HBASE-6068-v0.patch, HBASE-6068-v1.patch
>
>
> In case of secure cluster, we allow the HBase clients to read the zk nodes by providing the global read permissions to all for certain nodes. These nodes are the master address znode, root server znode and the clusterId znode. In ZKUtil.createACL() , we can see these node names are specially handled.
> But there are some other client side admin APIs which makes a read call into the zookeeper from the client. This include the isTableEnabled() call (May be some other. I have seen this). Here the client directly reads a node in the zookeeper ( node created for this table ) and the data is matched to know whether this is enabled or not.
> Now in secure cluster case any client can read zookeeper nodes which it needs for its normal operation like the master address and root server address. But what if the client calls this API? [isTableEnaled () ].
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6068) Secure HBase cluster : Client not
able to call some admin APIs
Posted by "stack (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6068?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13286029#comment-13286029 ]
stack commented on HBASE-6068:
------------------------------
Applied to trunk. Doesn't apply to 0.94. Want to make a patch for 0.94 and 0.92 Matteo? Thanks.
> Secure HBase cluster : Client not able to call some admin APIs
> --------------------------------------------------------------
>
> Key: HBASE-6068
> URL: https://issues.apache.org/jira/browse/HBASE-6068
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.92.1, 0.94.0, 0.96.0
> Reporter: Anoop Sam John
> Assignee: Matteo Bertozzi
> Fix For: 0.92.2, 0.94.1
>
> Attachments: HBASE-6068-v0.patch, HBASE-6068-v1.patch, HBASE-6068-v2.patch, HBASE-6068-v3.patch
>
>
> In case of secure cluster, we allow the HBase clients to read the zk nodes by providing the global read permissions to all for certain nodes. These nodes are the master address znode, root server znode and the clusterId znode. In ZKUtil.createACL() , we can see these node names are specially handled.
> But there are some other client side admin APIs which makes a read call into the zookeeper from the client. This include the isTableEnabled() call (May be some other. I have seen this). Here the client directly reads a node in the zookeeper ( node created for this table ) and the data is matched to know whether this is enabled or not.
> Now in secure cluster case any client can read zookeeper nodes which it needs for its normal operation like the master address and root server address. But what if the client calls this API? [isTableEnaled () ].
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-6068) Secure HBase cluster : Client not
able to call some admin APIs
Posted by "stack (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6068?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
stack updated HBASE-6068:
-------------------------
Fix Version/s: (was: 0.94.1)
(was: 0.92.2)
0.96.0
> Secure HBase cluster : Client not able to call some admin APIs
> --------------------------------------------------------------
>
> Key: HBASE-6068
> URL: https://issues.apache.org/jira/browse/HBASE-6068
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.92.1, 0.94.0, 0.96.0
> Reporter: Anoop Sam John
> Assignee: Matteo Bertozzi
> Fix For: 0.96.0
>
> Attachments: HBASE-6068-v0.patch, HBASE-6068-v1.patch, HBASE-6068-v2.patch, HBASE-6068-v3.patch
>
>
> In case of secure cluster, we allow the HBase clients to read the zk nodes by providing the global read permissions to all for certain nodes. These nodes are the master address znode, root server znode and the clusterId znode. In ZKUtil.createACL() , we can see these node names are specially handled.
> But there are some other client side admin APIs which makes a read call into the zookeeper from the client. This include the isTableEnabled() call (May be some other. I have seen this). Here the client directly reads a node in the zookeeper ( node created for this table ) and the data is matched to know whether this is enabled or not.
> Now in secure cluster case any client can read zookeeper nodes which it needs for its normal operation like the master address and root server address. But what if the client calls this API? [isTableEnaled () ].
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6068) Secure HBase cluster : Client not
able to call some admin APIs
Posted by "Hudson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6068?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13286082#comment-13286082 ]
Hudson commented on HBASE-6068:
-------------------------------
Integrated in HBase-TRUNK #2957 (See [https://builds.apache.org/job/HBase-TRUNK/2957/])
HBASE-6068 Secure HBase cluster : Client not able to call some admin APIs (Revision 1344456)
Result = FAILURE
stack :
Files :
* /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
> Secure HBase cluster : Client not able to call some admin APIs
> --------------------------------------------------------------
>
> Key: HBASE-6068
> URL: https://issues.apache.org/jira/browse/HBASE-6068
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.92.1, 0.94.0, 0.96.0
> Reporter: Anoop Sam John
> Assignee: Matteo Bertozzi
> Fix For: 0.92.2, 0.94.1
>
> Attachments: HBASE-6068-0.92.patch, HBASE-6068-v0.patch, HBASE-6068-v1.patch, HBASE-6068-v2.patch, HBASE-6068-v3.patch
>
>
> In case of secure cluster, we allow the HBase clients to read the zk nodes by providing the global read permissions to all for certain nodes. These nodes are the master address znode, root server znode and the clusterId znode. In ZKUtil.createACL() , we can see these node names are specially handled.
> But there are some other client side admin APIs which makes a read call into the zookeeper from the client. This include the isTableEnabled() call (May be some other. I have seen this). Here the client directly reads a node in the zookeeper ( node created for this table ) and the data is matched to know whether this is enabled or not.
> Now in secure cluster case any client can read zookeeper nodes which it needs for its normal operation like the master address and root server address. But what if the client calls this API? [isTableEnaled () ].
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6068) Secure HBase cluster : Client not
able to call some admin APIs
Posted by "Hudson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6068?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13286236#comment-13286236 ]
Hudson commented on HBASE-6068:
-------------------------------
Integrated in HBase-0.92 #435 (See [https://builds.apache.org/job/HBase-0.92/435/])
HBASE-6068 Secure HBase cluster : Client not able to call some admin APIs (Revision 1344471)
Result = SUCCESS
stack :
Files :
* /hbase/branches/0.92/CHANGES.txt
* /hbase/branches/0.92/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
> Secure HBase cluster : Client not able to call some admin APIs
> --------------------------------------------------------------
>
> Key: HBASE-6068
> URL: https://issues.apache.org/jira/browse/HBASE-6068
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.92.1, 0.94.0, 0.96.0
> Reporter: Anoop Sam John
> Assignee: Matteo Bertozzi
> Fix For: 0.92.2, 0.94.1
>
> Attachments: HBASE-6068-0.92.patch, HBASE-6068-v0.patch, HBASE-6068-v1.patch, HBASE-6068-v2.patch, HBASE-6068-v3.patch
>
>
> In case of secure cluster, we allow the HBase clients to read the zk nodes by providing the global read permissions to all for certain nodes. These nodes are the master address znode, root server znode and the clusterId znode. In ZKUtil.createACL() , we can see these node names are specially handled.
> But there are some other client side admin APIs which makes a read call into the zookeeper from the client. This include the isTableEnabled() call (May be some other. I have seen this). Here the client directly reads a node in the zookeeper ( node created for this table ) and the data is matched to know whether this is enabled or not.
> Now in secure cluster case any client can read zookeeper nodes which it needs for its normal operation like the master address and root server address. But what if the client calls this API? [isTableEnaled () ].
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6068) Secure HBase cluster : Client not
able to call some admin APIs
Posted by "Laxman (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6068?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13281599#comment-13281599 ]
Laxman commented on HBASE-6068:
-------------------------------
Just tried out these apis from Java client in our secure cluster.
Scenario:
* Create a table 'test' and grant admin 'A' permission to 'testuser'
* Try the admin operations (isTableEnabled, isTableDisabled, enableTable, disableTable) from java client
There are actually two issues.
1) isTableEnabled & isTableDisabled - Failed on client with the following error (ZK No Auth) as mentioned in this issue.
{noformat}
12/05/22 17:44:49 WARN zookeeper.ZKUtil: hconnection-0x3377326f2010023 Unable to get data of znode /hbase/table/test
org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = NoAuth for /hbase/table/test
at org.apache.zookeeper.KeeperException.create(KeeperException.java:113)
at org.apache.zookeeper.KeeperException.create(KeeperException.java:51)
at org.apache.zookeeper.ZooKeeper.getData(ZooKeeper.java:1131)
at org.apache.hadoop.hbase.zookeeper.RecoverableZooKeeper.getData(RecoverableZooKeeper.java:264)
at org.apache.hadoop.hbase.zookeeper.ZKUtil.getData(ZKUtil.java:467)
at org.apache.hadoop.hbase.zookeeper.ZKTable.getTableState(ZKTable.java:109)
at org.apache.hadoop.hbase.zookeeper.ZKTable.isEnabledTable(ZKTable.java:283)
at org.apache.hadoop.hbase.client.HConnectionManager$HConnectionImplementation.testTableOnlineState(HConnectionManager.java:776)
at org.apache.hadoop.hbase.client.HConnectionManager$HConnectionImplementation.isTableEnabled(HConnectionManager.java:729)
at org.apache.hadoop.hbase.client.HBaseAdmin.isTableEnabled(HBaseAdmin.java:873)
at org.apache.hadoop.hbase.client.HBaseAdmin.isTableEnabled(HBaseAdmin.java:864)
{noformat}
2) enableTable & disableTable - Failed on master with following error (HBase - access denied).
{noformat}
Exception in thread "main" org.apache.hadoop.hbase.security.AccessDeniedException: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user 'testuser' (global, action=ADMIN)
at org.apache.hadoop.hbase.security.access.AccessController.requirePermission(AccessController.java:368)
at org.apache.hadoop.hbase.security.access.AccessController.preDisableTable(AccessController.java:578)
at org.apache.hadoop.hbase.master.MasterCoprocessorHost.preDisableTable(MasterCoprocessorHost.java:351)
at org.apache.hadoop.hbase.master.HMaster.disableTable(HMaster.java:1220)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.hadoop.hbase.ipc.SecureRpcEngine$Server.call(SecureRpcEngine.java:372)
at org.apache.hadoop.hbase.ipc.HBaseServer$Handler.run(HBaseServer.java:1376)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
at org.apache.hadoop.ipc.RemoteException.instantiateException(RemoteException.java:90)
at org.apache.hadoop.ipc.RemoteException.unwrapRemoteException(RemoteException.java:79)
at org.apache.hadoop.hbase.client.HBaseAdmin.disableTableAsync(HBaseAdmin.java:763)
at org.apache.hadoop.hbase.client.HBaseAdmin.disableTable(HBaseAdmin.java:786)
{noformat}
> Secure HBase cluster : Client not able to call some admin APIs
> --------------------------------------------------------------
>
> Key: HBASE-6068
> URL: https://issues.apache.org/jira/browse/HBASE-6068
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.94.0
> Reporter: Anoop Sam John
>
> In case of secure cluster, we allow the HBase clients to read the zk nodes by providing the global read permissions to all for certain nodes. These nodes are the master address znode, root server znode and the clusterId znode. In ZKUtil.createACL() , we can see these node names are specially handled.
> But there are some other client side admin APIs which makes a read call into the zookeeper from the client. This include the isTableEnabled() call (May be some other. I have seen this). Here the client directly reads a node in the zookeeper ( node created for this table ) and the data is matched to know whether this is enabled or not.
> Now in secure cluster case any client can read zookeeper nodes which it needs for its normal operation like the master address and root server address. But what if the client calls this API? [isTableEnaled () ].
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Closed] (HBASE-6068) Secure HBase cluster : Client not able
to call some admin APIs
Posted by "Lars Hofhansl (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6068?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Lars Hofhansl closed HBASE-6068.
--------------------------------
> Secure HBase cluster : Client not able to call some admin APIs
> --------------------------------------------------------------
>
> Key: HBASE-6068
> URL: https://issues.apache.org/jira/browse/HBASE-6068
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.92.1, 0.94.0, 0.96.0
> Reporter: Anoop Sam John
> Assignee: Matteo Bertozzi
> Fix For: 0.92.2, 0.94.1
>
> Attachments: HBASE-6068-0.92.patch, HBASE-6068-v0.patch, HBASE-6068-v1.patch, HBASE-6068-v2.patch, HBASE-6068-v3.patch
>
>
> In case of secure cluster, we allow the HBase clients to read the zk nodes by providing the global read permissions to all for certain nodes. These nodes are the master address znode, root server znode and the clusterId znode. In ZKUtil.createACL() , we can see these node names are specially handled.
> But there are some other client side admin APIs which makes a read call into the zookeeper from the client. This include the isTableEnabled() call (May be some other. I have seen this). Here the client directly reads a node in the zookeeper ( node created for this table ) and the data is matched to know whether this is enabled or not.
> Now in secure cluster case any client can read zookeeper nodes which it needs for its normal operation like the master address and root server address. But what if the client calls this API? [isTableEnaled () ].
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HBASE-6068) Secure HBase cluster : Client not
able to call some admin APIs
Posted by "Hudson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6068?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13287246#comment-13287246 ]
Hudson commented on HBASE-6068:
-------------------------------
Integrated in HBase-0.92-security #109 (See [https://builds.apache.org/job/HBase-0.92-security/109/])
HBASE-6068 Secure HBase cluster : Client not able to call some admin APIs (Revision 1344471)
Result = SUCCESS
stack :
Files :
* /hbase/branches/0.92/CHANGES.txt
* /hbase/branches/0.92/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
> Secure HBase cluster : Client not able to call some admin APIs
> --------------------------------------------------------------
>
> Key: HBASE-6068
> URL: https://issues.apache.org/jira/browse/HBASE-6068
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.92.1, 0.94.0, 0.96.0
> Reporter: Anoop Sam John
> Assignee: Matteo Bertozzi
> Fix For: 0.92.2, 0.94.1
>
> Attachments: HBASE-6068-0.92.patch, HBASE-6068-v0.patch, HBASE-6068-v1.patch, HBASE-6068-v2.patch, HBASE-6068-v3.patch
>
>
> In case of secure cluster, we allow the HBase clients to read the zk nodes by providing the global read permissions to all for certain nodes. These nodes are the master address znode, root server znode and the clusterId znode. In ZKUtil.createACL() , we can see these node names are specially handled.
> But there are some other client side admin APIs which makes a read call into the zookeeper from the client. This include the isTableEnabled() call (May be some other. I have seen this). Here the client directly reads a node in the zookeeper ( node created for this table ) and the data is matched to know whether this is enabled or not.
> Now in secure cluster case any client can read zookeeper nodes which it needs for its normal operation like the master address and root server address. But what if the client calls this API? [isTableEnaled () ].
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-6068) Secure HBase cluster : Client not
able to call some admin APIs
Posted by "Matteo Bertozzi (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6068?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Matteo Bertozzi updated HBASE-6068:
-----------------------------------
Attachment: HBASE-6068-0.92.patch
Attached patch for 0.92 that applies also on trunk
> Secure HBase cluster : Client not able to call some admin APIs
> --------------------------------------------------------------
>
> Key: HBASE-6068
> URL: https://issues.apache.org/jira/browse/HBASE-6068
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.92.1, 0.94.0, 0.96.0
> Reporter: Anoop Sam John
> Assignee: Matteo Bertozzi
> Fix For: 0.96.0
>
> Attachments: HBASE-6068-0.92.patch, HBASE-6068-v0.patch, HBASE-6068-v1.patch, HBASE-6068-v2.patch, HBASE-6068-v3.patch
>
>
> In case of secure cluster, we allow the HBase clients to read the zk nodes by providing the global read permissions to all for certain nodes. These nodes are the master address znode, root server znode and the clusterId znode. In ZKUtil.createACL() , we can see these node names are specially handled.
> But there are some other client side admin APIs which makes a read call into the zookeeper from the client. This include the isTableEnabled() call (May be some other. I have seen this). Here the client directly reads a node in the zookeeper ( node created for this table ) and the data is matched to know whether this is enabled or not.
> Now in secure cluster case any client can read zookeeper nodes which it needs for its normal operation like the master address and root server address. But what if the client calls this API? [isTableEnaled () ].
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-6068) Secure HBase cluster : Client not
able to call some admin APIs
Posted by "Matteo Bertozzi (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HBASE-6068?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Matteo Bertozzi updated HBASE-6068:
-----------------------------------
Affects Version/s: 0.96.0
0.92.1
Status: Patch Available (was: Open)
> Secure HBase cluster : Client not able to call some admin APIs
> --------------------------------------------------------------
>
> Key: HBASE-6068
> URL: https://issues.apache.org/jira/browse/HBASE-6068
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.94.0, 0.92.1, 0.96.0
> Reporter: Anoop Sam John
> Assignee: Matteo Bertozzi
> Attachments: HBASE-6068-v0.patch
>
>
> In case of secure cluster, we allow the HBase clients to read the zk nodes by providing the global read permissions to all for certain nodes. These nodes are the master address znode, root server znode and the clusterId znode. In ZKUtil.createACL() , we can see these node names are specially handled.
> But there are some other client side admin APIs which makes a read call into the zookeeper from the client. This include the isTableEnabled() call (May be some other. I have seen this). Here the client directly reads a node in the zookeeper ( node created for this table ) and the data is matched to know whether this is enabled or not.
> Now in secure cluster case any client can read zookeeper nodes which it needs for its normal operation like the master address and root server address. But what if the client calls this API? [isTableEnaled () ].
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira