[ https://issues.apache.org/jira/browse/HBASE-18323?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16075084#comment-16075084 ]
Josh Elser commented on HBASE-18323: ------------------------------------ bq. I think this line of code we can remove : acls.addAll(Ids.CREATOR_ALL_ACL); No, I don't think we should do that. This only works in the case where the HBase service user is an HBase superuser. We're duplicating the ACLs because the service user is also a superuser. If we would ever change the semantics of HBase superuser, we would have to remember to change this logic again. I think it would be safer to avoid setting the service user to the list of ACLs we build up in the same method (always use CREATOR_ALL_ACL, just avoid setting the explicit ACL for the same user). Does that make sense? Also, let me know if I'm missing something as this logic in ZooKeeper isn't exactly straightforward :) > Remove multiple ACLs for the same user in kerberos > -------------------------------------------------- > > Key: HBASE-18323 > URL: https://issues.apache.org/jira/browse/HBASE-18323 > Project: HBase > Issue Type: Bug > Affects Versions: 1.2.0, 3.0.0 > Reporter: Shibin Zhang > Priority: Minor > Attachments: HBASE-18323.patch > > > When deploy hbase in kerberos way ,there will be multiple acls in znode : > 'world,'anyone > : r > 'sasl,'hbase > : cdrwa > 'sasl,'hbase > : cdrwa > I also see the related issue and apply the patch, like > https://issues.apache.org/jira/browse/HBASE-17717 > but in my environment ,this situation still appear, > After dig into the code , i found the reason in source code ZKUtil.createAcl > is > if (zkw.isClientReadable(node)) { > LOG.error("isSecureZooKeeper user: clientReadable"); > acls.addAll(Ids.CREATOR_ALL_ACL); > acls.addAll(Ids.READ_ACL_UNSAFE); > } else { > LOG.error("isSecureZooKeeper user: clientReadable no"); > acls.addAll(Ids.CREATOR_ALL_ACL); > } > acls.addAll(Ids.CREATOR_ALL_ACL); > > Id AUTH_IDS = new Id("auth", ""); > ArrayList<ACL> CREATOR_ALL_ACL = new ArrayList(Collections.singletonList(new > ACL(31, AUTH_IDS))); > AUTH_IDS with "auth " will result current connection auth user add to > znode acl , > so it will appear multiple acls for same users. > I think this line of code we can remove : > acls.addAll(Ids.CREATOR_ALL_ACL); -- This message was sent by Atlassian JIRA (v6.4.14#64029)