[
https://issues.apache.org/jira/browse/ZOOKEEPER-4996?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
zhanglu153 updated ZOOKEEPER-4996:
----------------------------------
Description:
After calling getACL, multiple znodes returned auth schema, causing the client
to throw NoAuth exception.
The operation steps are as follows:
* Configure in jaas.conf:
{code:java}
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/cloud/service/zookeeper/conf/hbase.keytab"
storeKey=true
useTicketCache=false
principal="[email protected]";
}; {code}
* zkCli.sh server 192.168.180.23 performs hbase user authentication, and it
can be found that there are some znodes with incorrect permissions, use
Zookeeper super administrator to query the permissions of znode with incorrect
permissions. !image-2025-11-25-11-14-47-196.png!
*
{code:java}
getAcl /hbase/replication/peers
'auth,'
: cdrwa
getAcl /hbase/hbaseid
'auth,'
: cdrwa
'world,'anyone
: r{code}
There are the following znodes with permission issues, including some znodes
for hive in addition to hbase:
* /hbase/replication/peers 'auth,': cdrwa
* /hbase/replication/rs 'auth,': cdrwa
* /hbase/table-lock/hdp_ns:spark_test 'auth,': cdrwa
* /hbase/flush-table-proc/abort 'auth,': cdrwa
* /hbase/flush-table-proc/acquired 'auth,': cdrwa
* /hbase/flush-table-proc/reached 'auth,': cdrwa
* /hbase/online-snapshot/abort 'auth,': cdrwa
* /hbase/online-snapshot/acquired 'auth,': cdrwa
* /hbase/online-snapshot/reached 'auth,': cdrwa
* /hbase/tokenauth/keys 'auth,': cdrwa
* /hbase/tokenauth/keys/22 'auth,': cdrwa
* /hbase/tokenauth/keys/23 'auth,': cdrwa
* /hbase/tokenauth/keys/24 'auth,': cdrwa
* /hbase/tokenauth/keys/18 'auth,': cdrwa
* /hbase/tokenauth/keys/19 'auth,': cdrwa
* /hbase/tokenauth/keys/20 'auth,': cdrwa
* /hbase/tokenauth/keys/21 'auth,': cdrwa
* /hbase/recovering-regions 'auth,': cdrwa
* /hbase/draining 'auth,': cdrwa
* /hbase/namespace 'auth,': cdrwa
* /hbase/namespace/default 'auth,': cdrwa
* /hbase/namespace/hdp_ns 'auth,': cdrwa
* /hbase/namespace/hbase 'auth,': cdrwa
* /hbase/hbaseid 'auth,':
cdrwa 'world,'anyone: r
* /hbase/table 'auth,':
cdrwa 'world,'anyone: r
* /hbase/table/hbase:meta 'auth,': cdrwa
'world,'anyone: r
* /hbase/table/hbase:namespace 'auth,': cdrwa
'world,'anyone: r
* /hbase/table/hdp_ns:spark_test_sink 'auth,': cdrwa
'world,'anyone: r
* /hbase/table/hdp_ns:spark_test 'auth,': cdrwa
'world,'anyone: r
* /hbase/table/hdp_ns:yhb_tbl_1 'auth,': cdrwa
'world,'anyone: r
* /hbase/table/hdp_ns:flink_test 'auth,': cdrwa
'world,'anyone: r
* /hbase/table/hdp_ns:flink_test1 'auth,': cdrwa
'world,'anyone: r
* /hivedelegationMETASTORE/keys/0000000019
'auth,': cdrwa
* /hivedelegationMETASTORE/keys/0000000021
'auth,': cdrwa
* /hivedelegationMETASTORE/keys/0000000020
'auth,': cdrwa
* /hivedelegationHIVESERVER2/keys/0000000019
'auth,': cdrwa
* /hivedelegationHIVESERVER2/keys/0000000021
'auth,': cdrwa
* /hivedelegationHIVESERVER2/keys/0000000020
'auth,': cdrwa
was:
After calling getACL, multiple znodes returned auth schema, causing the client
to throw NoAuth exception.
The operation steps are as follows:
* Configure in jaas.conf:
{code:java}
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/cloud/service/zookeeper/conf/hbase.keytab"
storeKey=true
useTicketCache=false
principal="[email protected]";
}; {code}
* zkCli.sh server 192.168.180.23 performs hbase user authentication, and it
can be found that there are some znodes with incorrect permissions, use
Zookeeper super administrator to query the permissions of znode with incorrect
permissions. !image-2025-11-25-10-51-03-165.png!
*
{code:java}
getAcl /hbase/replication/peers
'auth,'
: cdrwa
getAcl /hbase/hbaseid
'auth,'
: cdrwa
'world,'anyone
: r{code}
There are the following znodes with permission issues, including some znodes
for hive in addition to hbase:
* /hbase/replication/peers 'auth,': cdrwa
* /hbase/replication/rs 'auth,': cdrwa
* /hbase/table-lock/hdp_ns:spark_test 'auth,': cdrwa
* /hbase/flush-table-proc/abort 'auth,': cdrwa
* /hbase/flush-table-proc/acquired 'auth,': cdrwa
* /hbase/flush-table-proc/reached 'auth,': cdrwa
* /hbase/online-snapshot/abort 'auth,': cdrwa
* /hbase/online-snapshot/acquired 'auth,': cdrwa
* /hbase/online-snapshot/reached 'auth,': cdrwa
* /hbase/tokenauth/keys 'auth,': cdrwa
* /hbase/tokenauth/keys/22 'auth,': cdrwa
* /hbase/tokenauth/keys/23 'auth,': cdrwa
* /hbase/tokenauth/keys/24 'auth,': cdrwa
* /hbase/tokenauth/keys/18 'auth,': cdrwa
* /hbase/tokenauth/keys/19 'auth,': cdrwa
* /hbase/tokenauth/keys/20 'auth,': cdrwa
* /hbase/tokenauth/keys/21 'auth,': cdrwa
* /hbase/recovering-regions 'auth,': cdrwa
* /hbase/draining 'auth,': cdrwa
* /hbase/namespace 'auth,': cdrwa
* /hbase/namespace/default 'auth,': cdrwa
* /hbase/namespace/hdp_ns 'auth,': cdrwa
* /hbase/namespace/hbase 'auth,': cdrwa
* /hbase/hbaseid 'auth,':
cdrwa 'world,'anyone: r
* /hbase/table 'auth,':
cdrwa 'world,'anyone: r
* /hbase/table/hbase:meta 'auth,': cdrwa
'world,'anyone: r
* /hbase/table/hbase:namespace 'auth,': cdrwa
'world,'anyone: r
* /hbase/table/hdp_ns:spark_test_sink 'auth,': cdrwa
'world,'anyone: r
* /hbase/table/hdp_ns:spark_test 'auth,': cdrwa
'world,'anyone: r
* /hbase/table/hdp_ns:yhb_tbl_1 'auth,': cdrwa
'world,'anyone: r
* /hbase/table/hdp_ns:flink_test 'auth,': cdrwa
'world,'anyone: r
* /hbase/table/hdp_ns:flink_test1 'auth,': cdrwa
'world,'anyone: r
* /hivedelegationMETASTORE/keys/0000000019
'auth,': cdrwa
* /hivedelegationMETASTORE/keys/0000000021
'auth,': cdrwa
* /hivedelegationMETASTORE/keys/0000000020
'auth,': cdrwa
* /hivedelegationHIVESERVER2/keys/0000000019
'auth,': cdrwa
* /hivedelegationHIVESERVER2/keys/0000000021
'auth,': cdrwa
* /hivedelegationHIVESERVER2/keys/0000000020
'auth,': cdrwa
> The appearance of the 'auth' schema leads to invalid znode authentication
> -------------------------------------------------------------------------
>
> Key: ZOOKEEPER-4996
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4996
> Project: ZooKeeper
> Issue Type: Bug
> Components: server
> Affects Versions: 3.4.14
> Reporter: zhanglu153
> Priority: Major
> Attachments: image-2025-11-25-11-14-47-196.png
>
>
> After calling getACL, multiple znodes returned auth schema, causing the
> client to throw NoAuth exception.
> The operation steps are as follows:
> * Configure in jaas.conf:
> {code:java}
> Client {
> com.sun.security.auth.module.Krb5LoginModule required
> useKeyTab=true
> keyTab="/cloud/service/zookeeper/conf/hbase.keytab"
> storeKey=true
> useTicketCache=false
> principal="[email protected]";
> }; {code}
> * zkCli.sh server 192.168.180.23 performs hbase user authentication, and it
> can be found that there are some znodes with incorrect permissions, use
> Zookeeper super administrator to query the permissions of znode with
> incorrect permissions. !image-2025-11-25-11-14-47-196.png!
> *
> {code:java}
> getAcl /hbase/replication/peers
> 'auth,'
> : cdrwa
> getAcl /hbase/hbaseid
> 'auth,'
> : cdrwa
> 'world,'anyone
> : r{code}
> There are the following znodes with permission issues, including some znodes
> for hive in addition to hbase:
> * /hbase/replication/peers 'auth,': cdrwa
> * /hbase/replication/rs 'auth,': cdrwa
> * /hbase/table-lock/hdp_ns:spark_test 'auth,': cdrwa
> * /hbase/flush-table-proc/abort 'auth,': cdrwa
> * /hbase/flush-table-proc/acquired 'auth,': cdrwa
> * /hbase/flush-table-proc/reached 'auth,': cdrwa
> * /hbase/online-snapshot/abort 'auth,': cdrwa
> * /hbase/online-snapshot/acquired 'auth,': cdrwa
> * /hbase/online-snapshot/reached 'auth,': cdrwa
> * /hbase/tokenauth/keys 'auth,': cdrwa
> * /hbase/tokenauth/keys/22 'auth,': cdrwa
> * /hbase/tokenauth/keys/23 'auth,': cdrwa
> * /hbase/tokenauth/keys/24 'auth,': cdrwa
> * /hbase/tokenauth/keys/18 'auth,': cdrwa
> * /hbase/tokenauth/keys/19 'auth,': cdrwa
> * /hbase/tokenauth/keys/20 'auth,': cdrwa
> * /hbase/tokenauth/keys/21 'auth,': cdrwa
> * /hbase/recovering-regions 'auth,': cdrwa
> * /hbase/draining 'auth,':
> cdrwa
> * /hbase/namespace 'auth,': cdrwa
> * /hbase/namespace/default 'auth,': cdrwa
> * /hbase/namespace/hdp_ns 'auth,': cdrwa
> * /hbase/namespace/hbase 'auth,': cdrwa
> * /hbase/hbaseid 'auth,':
> cdrwa 'world,'anyone: r
> * /hbase/table 'auth,':
> cdrwa 'world,'anyone: r
> * /hbase/table/hbase:meta 'auth,': cdrwa
> 'world,'anyone: r
> * /hbase/table/hbase:namespace 'auth,': cdrwa
> 'world,'anyone: r
> * /hbase/table/hdp_ns:spark_test_sink 'auth,': cdrwa
> 'world,'anyone: r
> * /hbase/table/hdp_ns:spark_test 'auth,': cdrwa
> 'world,'anyone: r
> * /hbase/table/hdp_ns:yhb_tbl_1 'auth,': cdrwa
> 'world,'anyone: r
> * /hbase/table/hdp_ns:flink_test 'auth,': cdrwa
> 'world,'anyone: r
> * /hbase/table/hdp_ns:flink_test1 'auth,': cdrwa
> 'world,'anyone: r
> * /hivedelegationMETASTORE/keys/0000000019
> 'auth,': cdrwa
> * /hivedelegationMETASTORE/keys/0000000021
> 'auth,': cdrwa
> * /hivedelegationMETASTORE/keys/0000000020
> 'auth,': cdrwa
> * /hivedelegationHIVESERVER2/keys/0000000019
> 'auth,': cdrwa
> * /hivedelegationHIVESERVER2/keys/0000000021
> 'auth,': cdrwa
> * /hivedelegationHIVESERVER2/keys/0000000020
> 'auth,': cdrwa
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
