You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hbase.apache.org by "Shibin Zhang (JIRA)" <ji...@apache.org> on 2017/07/05 06:55:00 UTC
[jira] [Created] (HBASE-18323) Remove multiple ACLs for the same
user in kerberos
Shibin Zhang created HBASE-18323:
------------------------------------
Summary: Remove multiple ACLs for the same user in kerberos
Key: HBASE-18323
URL: https://issues.apache.org/jira/browse/HBASE-18323
Project: HBase
Issue Type: Bug
Affects Versions: 3.0.0
Reporter: Shibin Zhang
Priority: Critical
When deploy hbase in kerberos way ,there will be multiple acls in znode :
'world,'anyone
: r
'sasl,'hbase
: cdrwa
'sasl,'hbase
: cdrwa
I also see the related issue and apply the patch, like https://issues.apache.org/jira/browse/HBASE-17717
but in my environment ,this situation still appear,
After dig into the code , i found the reason in source code ZKUtil.createAcl is
if (zkw.isClientReadable(node)) {
LOG.error("isSecureZooKeeper user: clientReadable");
acls.addAll(Ids.CREATOR_ALL_ACL);
acls.addAll(Ids.READ_ACL_UNSAFE);
} else {
LOG.error("isSecureZooKeeper user: clientReadable no");
acls.addAll(Ids.CREATOR_ALL_ACL);
}
acls.addAll(Ids.CREATOR_ALL_ACL);
Id AUTH_IDS = new Id("auth", "");
ArrayList<ACL> CREATOR_ALL_ACL = new ArrayList(Collections.singletonList(new ACL(31, AUTH_IDS)));
AUTH_IDS with "auth " will result current connection auth user add to znode acl ,
so it will appear multiple acls for same users.
I think this line of code we can remove : acls.addAll(Ids.CREATOR_ALL_ACL);
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)