[jira] [Commented] (HBASE-25407) list_regions make potential sensitive information disclosure

Tue, 22 Dec 2020 18:31:35 -0800 


    [ 
https://issues.apache.org/jira/browse/HBASE-25407?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17253845#comment-17253845
 ] 

lujie commented on HBASE-25407:
-------------------------------

 

[~vjasani]

 
{code:java}
As far as this one is concerned, this doesn't seem security bug. Region 
location data is public and the ability to locate regions by any client is 
fundamental to how HBase works. 
{code}
Hum, what i concerned is inconsistency. Table 'test' is not visable to user1, 
e.g. command 'list' will not return 'test' to user1. But user1 still can list 
regions of 'test'. Region belong to one table, so its data should only be 
public to the users who can access the table. If the table is not visable to 
user1, user1 should also not able to see the regions locations.

 

Maybe is not a security bug,but we need to handle this inconsistency.

 
{code:java}
Knowing a region’s location doesn’t give a potential attacker any access to the 
data
{code}
 

Yes, if we build perfect access control, the region  infomation will be 
useless. But we still need follow{color:#FF0000} Least Privilege 
principle{color}: Only the minimum level of access for users  is granted, 
because it is hard to guarantee that there is no securiry bugs in system. For 
example, issues HBASE-6246 and

HBASE-15132 need region infomation to exploit and If we keep region  infomation 
only be puclic to users who can access it,  it will decrease the possibility of 
being attacked

> list_regions make potential sensitive information disclosure
> ------------------------------------------------------------
>
>                 Key: HBASE-25407
>                 URL: https://issues.apache.org/jira/browse/HBASE-25407
>             Project: HBase
>          Issue Type: Bug
>            Reporter: lujie
>            Priority: Critical
>         Attachments: image-2020-12-18-13-00-20-126.png, 
> image-2020-12-18-13-07-00-777.png
>
>
> I found that I can get other users' region information which is not expected.
>   
>  For example i create a table as sysadmin, then I can read the region 
> information as user1.
>  !image-2020-12-18-13-00-20-126.png!
>   
>  I have found that list_regions is introduced by 
> https://issues.apache.org/jira/browse/HBASE-14925
>  
> we can also get the region info by rest  
>  
> !image-2020-12-18-13-07-00-777.png!
>  
>  i think if we expose more informaiton, we will be in more danger case, and 
> even be attacked by others. 
>   



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to