[ https://issues.apache.org/jira/browse/HBASE-6068?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13286022#comment-13286022 ]
Andrew Purtell commented on HBASE-6068: --------------------------------------- +1 on the latest patch. I'll open another JIRA on the question of should we tighten up client need for znodes anywhere. > Secure HBase cluster : Client not able to call some admin APIs > -------------------------------------------------------------- > > Key: HBASE-6068 > URL: https://issues.apache.org/jira/browse/HBASE-6068 > Project: HBase > Issue Type: Bug > Components: security > Affects Versions: 0.92.1, 0.94.0, 0.96.0 > Reporter: Anoop Sam John > Assignee: Matteo Bertozzi > Attachments: HBASE-6068-v0.patch, HBASE-6068-v1.patch, > HBASE-6068-v2.patch, HBASE-6068-v3.patch > > > In case of secure cluster, we allow the HBase clients to read the zk nodes by > providing the global read permissions to all for certain nodes. These nodes > are the master address znode, root server znode and the clusterId znode. In > ZKUtil.createACL() , we can see these node names are specially handled. > But there are some other client side admin APIs which makes a read call into > the zookeeper from the client. This include the isTableEnabled() call (May be > some other. I have seen this). Here the client directly reads a node in the > zookeeper ( node created for this table ) and the data is matched to know > whether this is enabled or not. > Now in secure cluster case any client can read zookeeper nodes which it needs > for its normal operation like the master address and root server address. > But what if the client calls this API? [isTableEnaled () ]. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira