You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hbase.apache.org by "Shibin Zhang (JIRA)" <ji...@apache.org> on 2017/07/05 06:57:00 UTC
[jira] [Updated] (HBASE-18323) Remove multiple ACLs for the same
user in kerberos
[ https://issues.apache.org/jira/browse/HBASE-18323?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Shibin Zhang updated HBASE-18323:
---------------------------------
Attachment: HBASE-18323.patch
> Remove multiple ACLs for the same user in kerberos
> --------------------------------------------------
>
> Key: HBASE-18323
> URL: https://issues.apache.org/jira/browse/HBASE-18323
> Project: HBase
> Issue Type: Bug
> Affects Versions: 3.0.0
> Reporter: Shibin Zhang
> Priority: Critical
> Attachments: HBASE-18323.patch
>
>
> When deploy hbase in kerberos way ,there will be multiple acls in znode :
> 'world,'anyone
> : r
> 'sasl,'hbase
> : cdrwa
> 'sasl,'hbase
> : cdrwa
> I also see the related issue and apply the patch, like https://issues.apache.org/jira/browse/HBASE-17717
> but in my environment ,this situation still appear,
> After dig into the code , i found the reason in source code ZKUtil.createAcl is
> if (zkw.isClientReadable(node)) {
> LOG.error("isSecureZooKeeper user: clientReadable");
> acls.addAll(Ids.CREATOR_ALL_ACL);
> acls.addAll(Ids.READ_ACL_UNSAFE);
> } else {
> LOG.error("isSecureZooKeeper user: clientReadable no");
> acls.addAll(Ids.CREATOR_ALL_ACL);
> }
> acls.addAll(Ids.CREATOR_ALL_ACL);
>
> Id AUTH_IDS = new Id("auth", "");
> ArrayList<ACL> CREATOR_ALL_ACL = new ArrayList(Collections.singletonList(new ACL(31, AUTH_IDS)));
> AUTH_IDS with "auth " will result current connection auth user add to znode acl ,
> so it will appear multiple acls for same users.
> I think this line of code we can remove : acls.addAll(Ids.CREATOR_ALL_ACL);
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)