[jira] [Commented] (HBASE-15577) there need be a mechanism to enable ZK's ACL check when the authentication strategy is simple

Sat, 09 Apr 2016 18:16:50 -0700 

    [ 
https://issues.apache.org/jira/browse/HBASE-15577?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15233806#comment-15233806
 ] 

Heng Chen commented on HBASE-15577:
-----------------------------------

{quote}
if the node is below, all the client can read the node, but only the 
server(Regionserver & Master which has the auth info) can modify it
/hbase
/hbase/meta-region-server
/hbase/master
/hbase/hbaseid
/hbase/rs
/hbase/table
/hbase/table/$tableName
otherwise, only the server can read and modify the node, the Client can't see 
them
{quote}

There are some nodes we need to modify and read in client side, for example,  
/hbase/replication,  /hbase/swithes.   How to deal with this nodes?

> there need be a mechanism to enable ZK's ACL check when the authentication 
> strategy is simple
> ---------------------------------------------------------------------------------------------
>
>                 Key: HBASE-15577
>                 URL: https://issues.apache.org/jira/browse/HBASE-15577
>             Project: HBase
>          Issue Type: Improvement
>    Affects Versions: 1.1.3
>            Reporter: chenxu
>            Assignee: chenxu
>         Attachments: HBASE-15577-02.patch, HBASE-15577-03.patch, 
> HBASE-15577.patch, zk-set-acl.patch
>
>
> if the hbase.security.authentication is set to simple, the ZKUtil.createACL 
> just return Ids.OPEN_ACL_UNSAFE, means that there is no ACL check on the ZK's 
> node.
> we can refactoring this to enables the ACL's check function
> manual steps to verify the patch
> *1.set this property in the hbase-site.xml*
> {quote}
>    hbase.security.authentication(simple)
>    hbase.zookeeper.acl (digest:admin:0DPiKuNIrrVmD8IUCuw1hQxNqZc=:cdrwa)
>    hbase.zookeeper.auth(digest:admin)
> {quote}
> the digest can generate by the 
> DigestAuthenticationProvider.generateDigest("admin")
> *2.start the cluster*
> *3.verify the zk's node*
> {quote}
>    (1)getAcl /hbase, result is:
>        'digest,'admin:0DPiKuNIrrVmD8IUCuw1hQxNqZc= : cdrwa
>        'world,'anyone: r
>    (2)getAcl /hbase/table-lock, result is:
>        'digest,'admin:0DPiKuNIrrVmD8IUCuw1hQxNqZc= : cdrwa
> {quote}
> if the node is below, all the client can read the node, but only the 
> server(Regionserver & Master which has the auth info) can modify it
> {quote}
>   /hbase
>   /hbase/meta-region-server
>   /hbase/master
>   /hbase/hbaseid
>   /hbase/rs
>   /hbase/table
>   /hbase/table/$tableName
> {quote}
> otherwise, only the server can read and modify the node, the Client can't see 
> them



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to