[jira] [Commented] (HBASE-12644) Visibility Labels: issue with storing super users in labels table

Fri, 12 Dec 2014 18:06:06 -0800 

    [ 
https://issues.apache.org/jira/browse/HBASE-12644?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14245105#comment-14245105
 ] 

Jerry He commented on HBASE-12644:
----------------------------------

Attached v3 patch.
This patch removed the call to this.labelsCache.refreshLabelsCache(serialized) 
updateZk().
It also puts the creation of the zk nodes in 
init()-->ZKVisibilityLabelWatcher.start().
Separate the creation of the zk nodes event from data update would practically 
reduce the race condition mentioned in the previous comment.
In theory, clients can call addLabel or setAuths from mutiple threads and 
trigger zk data update events.
But it much less likely to cause problem because each involves a sequence of 
intermediate steps.

With the patch. testing with org.apache.hadoop.hbase.security.visibility.* pass 
everytime I ran.


[~anoop.hbase]
Comment please.  Are you ok with patch?



> Visibility Labels: issue with storing super users in labels table
> -----------------------------------------------------------------
>
>                 Key: HBASE-12644
>                 URL: https://issues.apache.org/jira/browse/HBASE-12644
>             Project: HBase
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 0.98.8, 0.99.2
>            Reporter: Jerry He
>            Assignee: Jerry He
>             Fix For: 1.0.0, 0.98.10
>
>         Attachments: HBASE-12644-master-v2.patch, 
> HBASE-12644-master-v3.patch, HBASE-12644-master.patch
>
>
> Super users have all the permissions for ACL and Visibility labels.
> They are defined in hbase-site.xml.
> Currently in VisibilityController, we persist super user with their system 
> permission in hbase:labels.
> This makes change in super user difficult.
> There are two issues:
> In the current DefaultVisibilityLabelServiceImpl.addSystemLabel, we only add 
> super user when we initially create the 'system' label.
> No additional update after that even if super user changed. See code for 
> details.
>  
> Additionally, there is no mechanism to remove any super user from the labels 
> table.
>  
> We probably should not persist super users in the labels table.
> They are in hbase-site.xml and can just stay in labelsCache and used from 
> labelsCache after retrieval by Visibility Controller.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to