[jira] [Commented] (HBASE-20735) Invalid validation of coprocessor whitelist

2018-06-28 Thread Amit Anand (JIRA) 


[ 
https://issues.apache.org/jira/browse/HBASE-20735?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16526481#comment-16526481
 ] 

Amit Anand commented on HBASE-20735:


Also, I am able to attach a {{coprocessor}} when {{whitelist}} path is not 
defined at all. Below is the configuration in my {{hbase-site.xml}}
{code:java}
  
hbase.coprocessor.region.classes
 
org.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.SecureBulkLoadEndpoint,org.apache.hadoop.hbase.security.access.AccessController
  

  
hbase.coprocessor.regionserver.classes
org.apache.hadoop.hbase.security.access.AccessController
  
  
hbase.coprocessor.master.classes
 
org.apache.hadoop.hbase.security.access.AccessController,org.apache.hadoop.hbase.security.access.CoprocessorWhitelistMasterObserver
  
--
  
hbase.coprocessor.abortonerror
true
  
--

  hbase.coprocessor.region.whitelist.paths
  
{code}
and below is what I am able to do via {{hbase shell}}
{code:java}
create 'test_coprocessors', 'c'

alter 'test_coprocessors', METHOD => 'table_att', 'COPROCESSOR' => 
'hdfs:/tmp/coprocessors/coprocessors-0.4.0.jar|com.foo.bar.coprocessors.observers.PrefixedDataFilter|100|prefix=P'
{code}
 

> Invalid validation of coprocessor whitelist
> ---
>
> Key: HBASE-20735
> URL: https://issues.apache.org/jira/browse/HBASE-20735
> Project: HBase
>  Issue Type: Bug
>  Components: Coprocessors
>Reporter: Jagadeesh Anabathula
>Assignee: Clay B.
>Priority: Major
>  Labels: security
>
> Per HBASE-16700, coprocessors can be present only in whitelisted paths.
>  It validates for every new coprocessor, if jar's path is in whitelist paths.
>  It is currently validating only the first coprocessor that is set to a 
> table. All the coprocessors that are added after that are not validated and 
> allows path other than that are whitelisted.
> In my case, I have hbase.coprocessor.region.whitelist.paths as 
> /tmp/**,*/tmp/coprocessors/*
> Following works fine
> {code}
>  hbase(main):001:0> create 'test_coprocessors', 'c'
>  0 row(s) in 1.7540 seconds
> => Hbase::Table - test_coprocessors
>  hbase(main):002:0> alter 'test_coprocessors', METHOD => 'table_att', 
> 'COPROCESSOR' => 
> 'hdfs:/tmp/coprocessors/coprocessors-0.4.0.jar|com.test.hbase.coprocessors.observers.PrefixedDataFilter|100|prefix=P'
>  Updating all regions with the new schema...
>  1/1 regions updated.
>  Done.
>  0 row(s) in 2.1250 seconds
> hbase(main):003:0> alter 'test_coprocessors', METHOD => 'table_att', 
> 'COPROCESSOR' => 
> 'hdfs:/user/hbase/coprocessors/coprocessors-0.4.0.jar|com.test.hbase.coprocessors.observers.PrefixedDataFilter|100|prefix=P'
>  Updating all regions with the new schema...
>  1/1 regions updated.
>  Done.
>  0 row(s) in 1.9690 seconds
> hbase(main):004:0> desc 'test_coprocessors'
>  Table test_coprocessors is ENABLED
>  test_coprocessors, {TABLE_ATTRIBUTES => {METADATA => {'COPROCESSOR$1' => 
> 'hdfs:/tmp/coprocessors/coprocessors-0.4.0.jar|com.test.hbase.coprocessors.observer
>  s.PrefixedDataFilter|100|prefix=P', 'COPROCESSOR$2' => 
> 'hdfs:/user/hbase/coprocessors/coprocessors-0.4.0.jar|com.test.hbase.coprocessors.observers.Prefi
>  xedDataFilter|100|prefix=P'}}
>  COLUMN FAMILIES DESCRIPTION
> {NAME => 'c', BLOOMFILTER => 'ROW', VERSIONS => '1', IN_MEMORY => 'false', 
> KEEP_DELETED_CELLS => 'FALSE', DATA_BLOCK_ENCODING => 'NONE', TTL => 
> 'FOREVER', COMPRESSION => 'NONE', MIN_VERSIONS => '0', BLOCKCACHE => 'true', 
> BLOCKSIZE => '65536', REPLICATION_SCOPE => '0'}
> 1 row(s) in 0.0220 seconds
> {code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (HBASE-20735) Invalid validation of coprocessor whitelist

2018-06-16 Thread Clay B. (JIRA) 


[ 
https://issues.apache.org/jira/browse/HBASE-20735?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16514910#comment-16514910
 ] 

Clay B. commented on HBASE-20735:
-

This was seen on Hortonworks 2.6.3 as I understand it so roughly 1.1.2 based 
and thus not a current release of any type. I am working on a test to reproduce 
as I have not seen the cluster in question yet.

> Invalid validation of coprocessor whitelist
> ---
>
> Key: HBASE-20735
> URL: https://issues.apache.org/jira/browse/HBASE-20735
> Project: HBase
>  Issue Type: Bug
>  Components: Coprocessors
>Reporter: Jagadeesh Anabathula
>Assignee: Clay B.
>Priority: Major
>  Labels: security
>
> Per HBASE-16700, coprocessors can be present only in whitelisted paths.
>  It validates for every new coprocessor, if jar's path is in whitelist paths.
>  It is currently validating only the first coprocessor that is set to a 
> table. All the coprocessors that are added after that are not validated and 
> allows path other than that are whitelisted.
> In my case, I have hbase.coprocessor.region.whitelist.paths as 
> /tmp/**,*/tmp/coprocessors/*
> Following works fine
> {code}
>  hbase(main):001:0> create 'test_coprocessors', 'c'
>  0 row(s) in 1.7540 seconds
> => Hbase::Table - test_coprocessors
>  hbase(main):002:0> alter 'test_coprocessors', METHOD => 'table_att', 
> 'COPROCESSOR' => 
> 'hdfs:/tmp/coprocessors/coprocessors-0.4.0.jar|com.test.hbase.coprocessors.observers.PrefixedDataFilter|100|prefix=P'
>  Updating all regions with the new schema...
>  1/1 regions updated.
>  Done.
>  0 row(s) in 2.1250 seconds
> hbase(main):003:0> alter 'test_coprocessors', METHOD => 'table_att', 
> 'COPROCESSOR' => 
> 'hdfs:/user/hbase/coprocessors/coprocessors-0.4.0.jar|com.test.hbase.coprocessors.observers.PrefixedDataFilter|100|prefix=P'
>  Updating all regions with the new schema...
>  1/1 regions updated.
>  Done.
>  0 row(s) in 1.9690 seconds
> hbase(main):004:0> desc 'test_coprocessors'
>  Table test_coprocessors is ENABLED
>  test_coprocessors, {TABLE_ATTRIBUTES => {METADATA => {'COPROCESSOR$1' => 
> 'hdfs:/tmp/coprocessors/coprocessors-0.4.0.jar|com.test.hbase.coprocessors.observer
>  s.PrefixedDataFilter|100|prefix=P', 'COPROCESSOR$2' => 
> 'hdfs:/user/hbase/coprocessors/coprocessors-0.4.0.jar|com.test.hbase.coprocessors.observers.Prefi
>  xedDataFilter|100|prefix=P'}}
>  COLUMN FAMILIES DESCRIPTION
> {NAME => 'c', BLOOMFILTER => 'ROW', VERSIONS => '1', IN_MEMORY => 'false', 
> KEEP_DELETED_CELLS => 'FALSE', DATA_BLOCK_ENCODING => 'NONE', TTL => 
> 'FOREVER', COMPRESSION => 'NONE', MIN_VERSIONS => '0', BLOCKCACHE => 'true', 
> BLOCKSIZE => '65536', REPLICATION_SCOPE => '0'}
> 1 row(s) in 0.0220 seconds
> {code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (HBASE-20735) Invalid validation of coprocessor whitelist

2018-06-14 Thread Mike Drob (JIRA) 


[ 
https://issues.apache.org/jira/browse/HBASE-20735?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16512942#comment-16512942
 ] 

Mike Drob commented on HBASE-20735:
---

is this an issue on branch-1, branch-2, or both?

> Invalid validation of coprocessor whitelist
> ---
>
> Key: HBASE-20735
> URL: https://issues.apache.org/jira/browse/HBASE-20735
> Project: HBase
>  Issue Type: Bug
>  Components: Coprocessors
>Reporter: Jagadeesh Anabathula
>Assignee: Clay B.
>Priority: Major
>  Labels: security
>
> Per HBASE-16700, coprocessors can be present only in whitelisted paths.
>  It validates for every new coprocessor, if jar's path is in whitelist paths.
>  It is currently validating only the first coprocessor that is set to a 
> table. All the coprocessors that are added after that are not validated and 
> allows path other than that are whitelisted.
> In my case, I have hbase.coprocessor.region.whitelist.paths as 
> /tmp/**,*/tmp/coprocessors/*
> Following works fine
> {code}
>  hbase(main):001:0> create 'test_coprocessors', 'c'
>  0 row(s) in 1.7540 seconds
> => Hbase::Table - test_coprocessors
>  hbase(main):002:0> alter 'test_coprocessors', METHOD => 'table_att', 
> 'COPROCESSOR' => 
> 'hdfs:/tmp/coprocessors/coprocessors-0.4.0.jar|com.test.hbase.coprocessors.observers.PrefixedDataFilter|100|prefix=P'
>  Updating all regions with the new schema...
>  1/1 regions updated.
>  Done.
>  0 row(s) in 2.1250 seconds
> hbase(main):003:0> alter 'test_coprocessors', METHOD => 'table_att', 
> 'COPROCESSOR' => 
> 'hdfs:/user/hbase/coprocessors/coprocessors-0.4.0.jar|com.test.hbase.coprocessors.observers.PrefixedDataFilter|100|prefix=P'
>  Updating all regions with the new schema...
>  1/1 regions updated.
>  Done.
>  0 row(s) in 1.9690 seconds
> hbase(main):004:0> desc 'test_coprocessors'
>  Table test_coprocessors is ENABLED
>  test_coprocessors, {TABLE_ATTRIBUTES => {METADATA => {'COPROCESSOR$1' => 
> 'hdfs:/tmp/coprocessors/coprocessors-0.4.0.jar|com.test.hbase.coprocessors.observer
>  s.PrefixedDataFilter|100|prefix=P', 'COPROCESSOR$2' => 
> 'hdfs:/user/hbase/coprocessors/coprocessors-0.4.0.jar|com.test.hbase.coprocessors.observers.Prefi
>  xedDataFilter|100|prefix=P'}}
>  COLUMN FAMILIES DESCRIPTION
> {NAME => 'c', BLOOMFILTER => 'ROW', VERSIONS => '1', IN_MEMORY => 'false', 
> KEEP_DELETED_CELLS => 'FALSE', DATA_BLOCK_ENCODING => 'NONE', TTL => 
> 'FOREVER', COMPRESSION => 'NONE', MIN_VERSIONS => '0', BLOCKCACHE => 'true', 
> BLOCKSIZE => '65536', REPLICATION_SCOPE => '0'}
> 1 row(s) in 0.0220 seconds
> {code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)