[ https://issues.apache.org/jira/browse/HBASE-9973?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Himanshu Vashishtha updated HBASE-9973: --------------------------------------- Attachment: 9973-v2.patch > [ACL]: Users with 'Admin' ACL permission will lose permissions after upgrade > to 0.96.x from 0.94.x or 0.92.x > ------------------------------------------------------------------------------------------------------------ > > Key: HBASE-9973 > URL: https://issues.apache.org/jira/browse/HBASE-9973 > Project: HBase > Issue Type: Bug > Components: security > Affects Versions: 0.96.0, 0.96.1 > Reporter: Aleksandr Shulman > Assignee: Himanshu Vashishtha > Labels: acl > Fix For: 0.96.1 > > Attachments: 9973-v2.patch, 9973.patch > > > In our testing, we have uncovered that the ACL permissions for users with the > 'A' credential do not hold after the upgrade to 0.96.x. > This is because in the ACL table, the entry for the admin user is a > permission on the '_acl_' table with permission 'A'. However, because of the > namespace transition, there is no longer an '_acl_' table. Therefore, that > entry in the hbase:acl table is no longer valid. > Example: > {code}hbase(main):002:0> scan 'hbase:acl' > ROW COLUMN+CELL > > TestTable column=l:hdfs, timestamp=1384454830701, value=RW > > TestTable column=l:root, timestamp=1384455875586, value=RWCA > > _acl_ column=l:root, timestamp=1384454767568, value=C > > _acl_ column=l:tableAdmin, timestamp=1384454788035, value=A > > hbase:acl column=l:root, timestamp=1384455875786, value=C > > {code} > In this case, the following entry becomes meaningless: > {code} _acl_ column=l:tableAdmin, timestamp=1384454788035, > value=A {code} > As a result, > Proposed fix: > I see the fix being relatively straightforward. As part of the migration, > change any entries in the '_acl_' table with key '_acl_' into a new row with > key 'hbase:acl', all else being the same. And the old entry would be deleted. > This can go into the standard migration script that we expect users to run. -- This message was sent by Atlassian JIRA (v6.1#6144)