You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@hbase.apache.org by "Andrew Purtell (JIRA)" <ji...@apache.org> on 2013/03/28 18:45:18 UTC

[jira] [Updated] (HBASE-8213) global authorization may lose efficacy

     [ https://issues.apache.org/jira/browse/HBASE-8213?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Andrew Purtell updated HBASE-8213:
----------------------------------

          Component/s: security
    Affects Version/s: 0.94.7
                       0.96.0
                       0.95.0
    
> global authorization may lose efficacy 
> ---------------------------------------
>
>                 Key: HBASE-8213
>                 URL: https://issues.apache.org/jira/browse/HBASE-8213
>             Project: HBase
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 0.95.0, 0.96.0, 0.94.7
>            Reporter: Jieshan Bean
>            Assignee: Jieshan Bean
>            Priority: Critical
>
> It depends on the order of which region be opened first.  
> Suppose we have one 1 regionserver and only 1 user region REGION-A on this server, _acl_ region was on another regionserver. _acl_ was opened a few seconds before REGION-A.
> The global authorization data read from Zookeeper was overwritten by the data read from configuration.
> {code}
>   private TableAuthManager(ZooKeeperWatcher watcher, Configuration conf)
>       throws IOException {
>     this.conf = conf;
>     this.zkperms = new ZKPermissionWatcher(watcher, this, conf);
>     try {
> 	  // Read global authorization data from zookeeper. 
>       this.zkperms.start();
>     } catch (KeeperException ke) {
>       LOG.error("ZooKeeper initialization failed", ke);
>     }
>     // It will overwrite globalCache.
>     // initialize global permissions based on configuration
>     globalCache = initGlobal(conf);
>   }
> {code}
> This issue can be easily reproduced by below steps:
> 1. Start a cluster with 3 regionservers.
> 2. Create a new table T1.
> 3. grant a new user USER-A with global authorization.
> 4. Kill 1 regionserver RS3 and switch balance off.
> 5. Start regionserver RS3.
> 6. Assign region T1 to RS3.
> 7. Put data with user USER-A.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira