You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hbase.apache.org by "Andrew Purtell (JIRA)" <ji...@apache.org> on 2016/02/05 01:19:39 UTC
[jira] [Comment Edited] (HBASE-15200) ZooKeeper znode ACL checks
should only compare the shortname
[ https://issues.apache.org/jira/browse/HBASE-15200?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15133394#comment-15133394 ]
Andrew Purtell edited comment on HBASE-15200 at 2/5/16 12:19 AM:
-----------------------------------------------------------------
Ok I made the change and am committing an addendum now. This time I ran a Findbugs check in Eclipse after editing ZooKeeperWatcher.java, and see 0 warnings from this file after the change.
was (Author: apurtell):
Ok I made the change and am committing an addendum now. This time I ran a Findbugs check in Eclipse after editing the file, and see 0 warnings from this file after the change.
> ZooKeeper znode ACL checks should only compare the shortname
> ------------------------------------------------------------
>
> Key: HBASE-15200
> URL: https://issues.apache.org/jira/browse/HBASE-15200
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 2.0.0, 1.2.0, 1.0.3, 1.1.3, 0.98.17
> Reporter: Andrew Purtell
> Assignee: Andrew Purtell
> Priority: Minor
> Fix For: 2.0.0, 1.3.0, 1.2.1, 1.1.4, 1.0.4, 0.98.18
>
> Attachments: HBASE-15200-branch-1.0.patch, HBASE-15200-branch-1.1.patch, HBASE-15200.patch, HBASE-15200.patch
>
>
> After HBASE-13768 we check at startup in secure configurations if our znodes have the correct ACLs. However when checking the ACL we compare the Kerberos fullname, which includes the host component. We should only compare the shortname, the principal. Otherwise in a multimaster configuration we will unnecessarily reset ACLs whenever any master running on a host other than the one that initialized the ACLs makes the check. You can imagine this happening multiple times in a rolling restart scenario.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)