[ https://issues.apache.org/jira/browse/HBASE-9973?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13826322#comment-13826322 ]
Hudson commented on HBASE-9973: ------------------------------- SUCCESS: Integrated in HBase-TRUNK #4687 (See [https://builds.apache.org/job/HBase-TRUNK/4687/]) HBASE-9973 Users with 'Admin' ACL permission will lose permissions after upgrade to 0.96.x from 0.94.x or 0.92.x (Himanshu Vashishtha) (mbertozzi: rev 1543179) * /hbase/trunk/hbase-server/src/main/java/org/apache/hadoop/hbase/migration/NamespaceUpgrade.java > [ACL]: Users with 'Admin' ACL permission will lose permissions after upgrade > to 0.96.x from 0.94.x or 0.92.x > ------------------------------------------------------------------------------------------------------------ > > Key: HBASE-9973 > URL: https://issues.apache.org/jira/browse/HBASE-9973 > Project: HBase > Issue Type: Bug > Components: migration, security > Affects Versions: 0.96.0, 0.96.1 > Reporter: Aleksandr Shulman > Assignee: Himanshu Vashishtha > Labels: acl > Fix For: 0.98.0, 0.96.1 > > Attachments: 9973-v2.patch, 9973-v2.patch, 9973.patch > > > In our testing, we have uncovered that the ACL permissions for users with the > 'A' credential do not hold after the upgrade to 0.96.x. > This is because in the ACL table, the entry for the admin user is a > permission on the '_acl_' table with permission 'A'. However, because of the > namespace transition, there is no longer an '_acl_' table. Therefore, that > entry in the hbase:acl table is no longer valid. > Example: > {code}hbase(main):002:0> scan 'hbase:acl' > ROW COLUMN+CELL > > TestTable column=l:hdfs, timestamp=1384454830701, value=RW > > TestTable column=l:root, timestamp=1384455875586, value=RWCA > > _acl_ column=l:root, timestamp=1384454767568, value=C > > _acl_ column=l:tableAdmin, timestamp=1384454788035, value=A > > hbase:acl column=l:root, timestamp=1384455875786, value=C > > {code} > In this case, the following entry becomes meaningless: > {code} _acl_ column=l:tableAdmin, timestamp=1384454788035, > value=A {code} > As a result, > Proposed fix: > I see the fix being relatively straightforward. As part of the migration, > change any entries in the '_acl_' table with key '_acl_' into a new row with > key 'hbase:acl', all else being the same. And the old entry would be deleted. > This can go into the standard migration script that we expect users to run. -- This message was sent by Atlassian JIRA (v6.1#6144)