[jira] [Commented] (HBASE-17717) Incorrect ZK ACL set for HBase superuser

Thu, 02 Mar 2017 08:45:17 -0800 

    [ 
https://issues.apache.org/jira/browse/HBASE-17717?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15892577#comment-15892577
 ] 

Josh Elser commented on HBASE-17717:
------------------------------------

bq. The documentation on the zookeeper side is not explicit unfortunately.

Yes, this is unfortunate for sure.

bq. So it only replaces auth with sasl iff the user principal matches with the 
current user

My understanding is that when the client setting an ACL includes one with 
{{auth}} as the scheme, the ACL is modified (before being set on the znode) to 
be the current user's authenticated credentials.

It seems like, somehow, this was still being treated as unique to the explicit 
{{sasl:hbase}} ACL that we also set (thus, two ACLs showing up). Let me poke in 
the ZK code and try to understand this a little more..

> Incorrect ZK ACL set for HBase superuser
> ----------------------------------------
>
>                 Key: HBASE-17717
>                 URL: https://issues.apache.org/jira/browse/HBASE-17717
>             Project: HBase
>          Issue Type: Bug
>          Components: security, Zookeeper
>            Reporter: Shreya Bhat
>            Assignee: Josh Elser
>             Fix For: 2.0.0, 1.3.1, 1.1.10, 1.2.6
>
>         Attachments: HBASE-17717.001.patch
>
>
> Shreya was doing some testing of a deploy of HBase, verifying that the ZK 
> ACLs were actually set as we expect (yay, security).
> She noticed that, in some cases, we were seeing multiple ACLs for the same 
> user.
> {noformat}
> 'world,'anyone
> : r
> 'sasl,'hbase
> : cdrwa
> 'sasl,'hbase
> : cdrwa
> {noformat}
> After digging into this (and some insight from the mighty [~enis]), we 
> realized that this was happening because of an overridden value for 
> {{hbase.superuser}}. However, the ACL value doesn't match what we'd expect to 
> see (as hbase.superuser was set to {{cstm-hbase}}).
> After digging into this code, it seems like the {{auth}} ACL scheme in 
> ZooKeeper does not work as we expect.
> {code}
>       if (superUser != null) {
>         acls.add(new ACL(Perms.ALL, new Id("auth", superUser)));
>       }
> {code}
> In the above, the {{"auth"}} scheme ignores any provided "subject" in the 
> {{Id}} object. It *only* considers the authentication of the current 
> connection. As such, our usage of this never actually sets the ACL for the 
> superuser correctly.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to