[jira] [Commented] (HBASE-11194) [AccessController] issue with covering permission check in case of concurrent op on same row

Hadoop QA (JIRA) Tue, 03 Jun 2014 11:53:39 -0700

    [ 
https://issues.apache.org/jira/browse/HBASE-11194?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14016990#comment-14016990
 ]


Hadoop QA commented on HBASE-11194:
-----------------------------------

{color:red}-1 overall{color}.  Here are the results of testing the latest 
attachment 
  http://issues.apache.org/jira/secure/attachment/12648190/HBASE-11194.patch
  against trunk revision .
  ATTACHMENT ID: 12648190

    {color:green}+1 @author{color}.  The patch does not contain any @author 
tags.

    {color:green}+1 tests included{color}.  The patch appears to include 3 new 
or modified tests.

    {color:green}+1 javac{color}.  The applied patch does not increase the 
total number of javac compiler warnings.

    {color:green}+1 javadoc{color}.  The javadoc tool did not generate any 
warning messages.

    {color:green}+1 findbugs{color}.  The patch does not introduce any new 
Findbugs (version 1.3.9) warnings.

    {color:green}+1 release audit{color}.  The applied patch does not increase 
the total number of release audit warnings.

    {color:green}+1 lineLengths{color}.  The patch does not introduce lines 
longer than 100

  {color:green}+1 site{color}.  The mvn site goal succeeds with this patch.

     {color:red}-1 core tests{color}.  The patch failed these unit tests:
                       
org.apache.hadoop.hbase.regionserver.TestRSKilledWhenInitializing

Test results: 
https://builds.apache.org/job/PreCommit-HBASE-Build/9678//testReport/
Findbugs warnings: 
https://builds.apache.org/job/PreCommit-HBASE-Build/9678//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-examples.html
Findbugs warnings: 
https://builds.apache.org/job/PreCommit-HBASE-Build/9678//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-hadoop-compat.html
Findbugs warnings: 
https://builds.apache.org/job/PreCommit-HBASE-Build/9678//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-prefix-tree.html
Findbugs warnings: 
https://builds.apache.org/job/PreCommit-HBASE-Build/9678//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-thrift.html
Findbugs warnings: 
https://builds.apache.org/job/PreCommit-HBASE-Build/9678//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-server.html
Findbugs warnings: 
https://builds.apache.org/job/PreCommit-HBASE-Build/9678//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-client.html
Findbugs warnings: 
https://builds.apache.org/job/PreCommit-HBASE-Build/9678//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-hadoop2-compat.html
Findbugs warnings: 
https://builds.apache.org/job/PreCommit-HBASE-Build/9678//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-common.html
Findbugs warnings: 
https://builds.apache.org/job/PreCommit-HBASE-Build/9678//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-protocol.html
Console output: 
https://builds.apache.org/job/PreCommit-HBASE-Build/9678//console

This message is automatically generated.

> [AccessController] issue with covering permission check in case of concurrent 
> op on same row
> --------------------------------------------------------------------------------------------
>
>                 Key: HBASE-11194
>                 URL: https://issues.apache.org/jira/browse/HBASE-11194
>             Project: HBase
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 0.98.0
>            Reporter: Anoop Sam John
>            Assignee: Anoop Sam John
>             Fix For: 0.99.0, 0.98.4
>
>         Attachments: HBASE-11194.patch
>
>
> The issue is the hook where we do check in which we have not acquired 
> rowlock. Take case of delete, we do the check in the preDelete() hook. We do 
> get the covering cells and check against their acls. At the point of the 
> preDelete hook, we have not acquired the row lock on the deleting row.
> Consider 2 parallel threads one doing put and other delete both dealing with 
> same row.
> Thread 1 acquired the rowlock and decided the TS  (HRS time) and doing the 
> memstore write and HLog sync but the mvcc read point is NOT advanced. 
> Thread 2 at same time, doing the delete of the row (Say with latest TS . The 
> intent is to delete entire row) and in place of preDelete hook. There is no 
> row locking happening at this point. As part of covering permission check, it 
> doing a Get. But as said above, the put is not complete and the mvcc advance 
> has not happened. So the Get won’t return the new cell.  It will return the 
> old cells. And the check pass for the old cells.  Now suppose the new cell 
> ACL is not matching for the deleting user.  But the cell was not read, the 
> check has not happened.  So the ACL check will allow the user  to delete 
> row..  The flow later comes to HRegion#doMiniBatchMutate() and try acquire 
> row lock and by that time the Thread 1 op was over. So it will get lock and 
> will add the delete tombstone.  As a result the cell, for which the deleting 
> user has no acl right, also will get deleted.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

[jira] [Commented] (HBASE-11194) [AccessController] issue with covering permission check in case of concurrent op on same row

Reply via email to