[
https://issues.apache.org/jira/browse/ZOOKEEPER-4996?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
zhanglu153 updated ZOOKEEPER-4996:
----------------------------------
Attachment: (was: image-2025-11-25-10-45-49-204.png)
> The appearance of the 'auth' schema leads to invalid znode authentication
> -------------------------------------------------------------------------
>
> Key: ZOOKEEPER-4996
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4996
> Project: ZooKeeper
> Issue Type: Bug
> Components: server
> Affects Versions: 3.4.14
> Reporter: zhanglu153
> Priority: Major
> Attachments: image-2025-11-25-10-51-03-165.png
>
>
> After calling getACL, multiple znodes returned auth schema, causing the
> client to throw NoAuth exception.
> The operation steps are as follows:
> * Configure in jaas.conf:
> {code:java}
> Client {
> com.sun.security.auth.module.Krb5LoginModule required
> useKeyTab=true
> keyTab="/cloud/service/zookeeper/conf/hbase.keytab"
> storeKey=true
> useTicketCache=false
> principal="[email protected]";
> }; {code}
> * zkCli.sh server 192.168.180.23 performs hbase user authentication, and it
> can be found that there are some znodes with incorrect permissions, use
> Zookeeper super administrator to query the permissions of znode with
> incorrect permissions. !image-2025-11-25-10-51-03-165.png!
> *
> {code:java}
> getAcl /hbase/replication/peers
> 'auth,'
> : cdrwa
> getAcl /hbase/hbaseid
> 'auth,'
> : cdrwa
> 'world,'anyone
> : r{code}
> There are the following znodes with permission issues, including some znodes
> for hive in addition to hbase:
> * /hbase/replication/peers 'auth,': cdrwa
> * /hbase/replication/rs 'auth,': cdrwa
> * /hbase/table-lock/hdp_ns:spark_test 'auth,': cdrwa
> * /hbase/flush-table-proc/abort 'auth,': cdrwa
> * /hbase/flush-table-proc/acquired 'auth,': cdrwa
> * /hbase/flush-table-proc/reached 'auth,': cdrwa
> * /hbase/online-snapshot/abort 'auth,': cdrwa
> * /hbase/online-snapshot/acquired 'auth,': cdrwa
> * /hbase/online-snapshot/reached 'auth,': cdrwa
> * /hbase/tokenauth/keys 'auth,': cdrwa
> * /hbase/tokenauth/keys/22 'auth,': cdrwa
> * /hbase/tokenauth/keys/23 'auth,': cdrwa
> * /hbase/tokenauth/keys/24 'auth,': cdrwa
> * /hbase/tokenauth/keys/18 'auth,': cdrwa
> * /hbase/tokenauth/keys/19 'auth,': cdrwa
> * /hbase/tokenauth/keys/20 'auth,': cdrwa
> * /hbase/tokenauth/keys/21 'auth,': cdrwa
> * /hbase/recovering-regions 'auth,': cdrwa
> * /hbase/draining 'auth,':
> cdrwa
> * /hbase/namespace 'auth,': cdrwa
> * /hbase/namespace/default 'auth,': cdrwa
> * /hbase/namespace/hdp_ns 'auth,': cdrwa
> * /hbase/namespace/hbase 'auth,': cdrwa
> * /hbase/hbaseid 'auth,':
> cdrwa 'world,'anyone: r
> * /hbase/table 'auth,':
> cdrwa 'world,'anyone: r
> * /hbase/table/hbase:meta 'auth,': cdrwa
> 'world,'anyone: r
> * /hbase/table/hbase:namespace 'auth,': cdrwa
> 'world,'anyone: r
> * /hbase/table/hdp_ns:spark_test_sink 'auth,': cdrwa
> 'world,'anyone: r
> * /hbase/table/hdp_ns:spark_test 'auth,': cdrwa
> 'world,'anyone: r
> * /hbase/table/hdp_ns:yhb_tbl_1 'auth,': cdrwa
> 'world,'anyone: r
> * /hbase/table/hdp_ns:flink_test 'auth,': cdrwa
> 'world,'anyone: r
> * /hbase/table/hdp_ns:flink_test1 'auth,': cdrwa
> 'world,'anyone: r
> * /hivedelegationMETASTORE/keys/0000000019
> 'auth,': cdrwa
> * /hivedelegationMETASTORE/keys/0000000021
> 'auth,': cdrwa
> * /hivedelegationMETASTORE/keys/0000000020
> 'auth,': cdrwa
> * /hivedelegationHIVESERVER2/keys/0000000019
> 'auth,': cdrwa
> * /hivedelegationHIVESERVER2/keys/0000000021
> 'auth,': cdrwa
> * /hivedelegationHIVESERVER2/keys/0000000020
> 'auth,': cdrwa
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
