You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hbase.apache.org by "Hudson (JIRA)" <ji...@apache.org> on 2012/10/05 02:38:05 UTC
[jira] [Commented] (HBASE-6851) Race condition in
TableAuthManager.updateGlobalCache()
[ https://issues.apache.org/jira/browse/HBASE-6851?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13469903#comment-13469903 ]
Hudson commented on HBASE-6851:
-------------------------------
Integrated in HBase-0.94-security-on-Hadoop-23 #8 (See [https://builds.apache.org/job/HBase-0.94-security-on-Hadoop-23/8/])
HBASE-6851 Fix race condition in TableAuthManager.updateGlobalCache() (Revision 1388898)
Result = FAILURE
garyh :
Files :
* /hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/access/TableAuthManager.java
* /hbase/branches/0.94/security/src/test/java/org/apache/hadoop/hbase/security/access/TestTablePermissions.java
> Race condition in TableAuthManager.updateGlobalCache()
> ------------------------------------------------------
>
> Key: HBASE-6851
> URL: https://issues.apache.org/jira/browse/HBASE-6851
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.94.1, 0.96.0
> Reporter: Gary Helmling
> Assignee: Gary Helmling
> Priority: Critical
> Fix For: 0.94.2, 0.96.0
>
> Attachments: HBASE-6851_2.patch, HBASE-6851_3.patch, HBASE-6851.patch
>
>
> When new global permissions are assigned, there is a race condition, during which further authorization checks relying on global permissions may fail.
> In TableAuthManager.updateGlobalCache(), we have:
> {code:java}
> USER_CACHE.clear();
> GROUP_CACHE.clear();
> try {
> initGlobal(conf);
> } catch (IOException e) {
> // Never happens
> LOG.error("Error occured while updating the user cache", e);
> }
> for (Map.Entry<String,TablePermission> entry : userPerms.entries()) {
> if (AccessControlLists.isGroupPrincipal(entry.getKey())) {
> GROUP_CACHE.put(AccessControlLists.getGroupName(entry.getKey()),
> new Permission(entry.getValue().getActions()));
> } else {
> USER_CACHE.put(entry.getKey(), new Permission(entry.getValue().getActions()));
> }
> }
> {code}
> If authorization checks come in following the .clear() but before repopulating, they will fail.
> We should have some synchronization here to serialize multiple updates and use a COW type rebuild and reassign of the new maps.
> This particular issue crept in with the fix in HBASE-6157, so I'm flagging for 0.94 and 0.96.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira