You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hbase.apache.org by "Shibin Zhang (JIRA)" <ji...@apache.org> on 2017/07/08 05:34:01 UTC
[jira] [Comment Edited] (HBASE-18323) Remove multiple ACLs for the
same user in kerberos
[ https://issues.apache.org/jira/browse/HBASE-18323?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16078960#comment-16078960 ]
Shibin Zhang edited comment on HBASE-18323 at 7/8/17 5:33 AM:
--------------------------------------------------------------
[~elserj] " always use CREATOR_ALL_ACL, just avoid setting the explicit ACL for the same user"
sorry , i don't know what's your meaning in above ,how to avoid setting ?
" we definitely need some unit test additions for this change "
could you give me some advice? what kind of unit test for change? some logic maybe confused me.
was (Author: zhangshibin):
[~elserj] " always use CREATOR_ALL_ACL, just avoid setting the explicit ACL for the same user"
sorry , i don't know what's your meaning in above ,how to avoid setting ?
" we definitely need some unit test additions for this change "
could you give me some advice? what kind of unit test for change? some logic maybe confused to me.
> Remove multiple ACLs for the same user in kerberos
> --------------------------------------------------
>
> Key: HBASE-18323
> URL: https://issues.apache.org/jira/browse/HBASE-18323
> Project: HBase
> Issue Type: Bug
> Affects Versions: 1.2.0, 3.0.0
> Reporter: Shibin Zhang
> Priority: Minor
> Attachments: HBASE-18323.patch, HBASE-18323-V2.patch, HBASE-18323-V3.patch
>
>
> When deploy hbase in kerberos way ,there will be multiple acls in znode :
> 'world,'anyone
> : r
> 'sasl,'hbase
> : cdrwa
> 'sasl,'hbase
> : cdrwa
> I also see the related issue and apply the patch, like https://issues.apache.org/jira/browse/HBASE-17717
> but in my environment ,this situation still appear,
> After dig into the code , i found the reason in source code ZKUtil.createAcl is
> if (zkw.isClientReadable(node)) {
> LOG.error("isSecureZooKeeper user: clientReadable");
> acls.addAll(Ids.CREATOR_ALL_ACL);
> acls.addAll(Ids.READ_ACL_UNSAFE);
> } else {
> LOG.error("isSecureZooKeeper user: clientReadable no");
> acls.addAll(Ids.CREATOR_ALL_ACL);
> }
> acls.addAll(Ids.CREATOR_ALL_ACL);
>
> Id AUTH_IDS = new Id("auth", "");
> ArrayList<ACL> CREATOR_ALL_ACL = new ArrayList(Collections.singletonList(new ACL(31, AUTH_IDS)));
> AUTH_IDS with "auth " will result current connection auth user add to znode acl ,
> so it will appear multiple acls for same users.
> I think this line of code we can remove : acls.addAll(Ids.CREATOR_ALL_ACL);
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)