Josh Elser created HBASE-17717: ---------------------------------- Summary: Incorrect ZK ACL set for HBase superuser Key: HBASE-17717 URL: https://issues.apache.org/jira/browse/HBASE-17717 Project: HBase Issue Type: Bug Components: security, Zookeeper Reporter: Shreya Bhat Assignee: Josh Elser Fix For: 2.0.0, 1.3.1, 1.1.10, 1.2.6
Shreya was doing some testing of a deploy of HBase, verifying that the ZK ACLs were actually set as we expect (yay, security). She noticed that, in some cases, we were seeing multiple ACLs for the same user. {noformat} 'world,'anyone : r 'sasl,'hbase : cdrwa 'sasl,'hbase : cdrwa {noformat} After digging into this (and some insight from the mighty [~enis]), we realized that this was happening because of an overridden value for {{hbase.superuser}}. However, the ACL value doesn't match what we'd expect to see (as hbase.superuser was set to {{cstm-hbase}}). After digging into this code, it seems like the {{auth}} ACL scheme in ZooKeeper does not work as we expect. {code} if (superUser != null) { acls.add(new ACL(Perms.ALL, new Id("auth", superUser))); } {code} In the above, the {{"auth"}} scheme ignores any provided "subject" in the {{Id}} object. It *only* considers the authentication of the current connection. As such, our usage of this never actually sets the ACL for the superuser correctly. -- This message was sent by Atlassian JIRA (v6.3.15#6346)