[jira] [Commented] (HBASE-21481) [acl] Superuser's permissions should not be granted or revoked by any non-su global admin
[ https://issues.apache.org/jira/browse/HBASE-21481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16782310#comment-16782310 ] Reid Chan commented on HBASE-21481: --- Thanks! [~zghaobac] > [acl] Superuser's permissions should not be granted or revoked by any non-su > global admin > - > > Key: HBASE-21481 > URL: https://issues.apache.org/jira/browse/HBASE-21481 > Project: HBase > Issue Type: Improvement >Reporter: Reid Chan >Assignee: Reid Chan >Priority: Major > Labels: ACL, security-issue > Fix For: 3.0.0, 2.2.0, 2.3.0 > > Attachments: HBASE-21481.master.001.patch, > HBASE-21481.master.002.patch, HBASE-21481.master.003.patch, > HBASE-21481.master.004.patch, HBASE-21481.master.005.patch, > HBASE-21481.master.006.patch, HBASE-21481.master.007.patch, > HBASE-21481.master.008.patch, HBASE-21481.master.009.patch, > HBASE-21481.master.010.patch, HBASE-21481.master.011.patch, > HBASE-21481.master.012.patch, HBASE-21481.master.013.patch, > HBASE-21481.master.014.patch, HBASE-21481.master.014.patch, > HBASE-21481.master.014.patch > > > Superusers are {{hbase.superuser}} listed in configuration and plus the one > who start master process, these two may be overlap. > A superuser must be a global admin, but a global admin may not be a > superuser, possibly granted afterwards. > For now, an non-su global admin with a Global.ADMIN permission can grant or > revoke any superuser's permission, accidentally or deliberately. > The purpose of this issue is to ban this action. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (HBASE-21481) [acl] Superuser's permissions should not be granted or revoked by any non-su global admin
[ https://issues.apache.org/jira/browse/HBASE-21481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16782301#comment-16782301 ] Hudson commented on HBASE-21481: Results for branch master [build #832 on builds.a.o|https://builds.apache.org/job/HBase%20Nightly/job/master/832/]: (x) *{color:red}-1 overall{color}* details (if available): (x) {color:red}-1 general checks{color} -- For more information [see general report|https://builds.apache.org/job/HBase%20Nightly/job/master/832//General_Nightly_Build_Report/] (x) {color:red}-1 jdk8 hadoop2 checks{color} -- For more information [see jdk8 (hadoop2) report|https://builds.apache.org/job/HBase%20Nightly/job/master/832//JDK8_Nightly_Build_Report_(Hadoop2)/] (x) {color:red}-1 jdk8 hadoop3 checks{color} -- For more information [see jdk8 (hadoop3) report|https://builds.apache.org/job/HBase%20Nightly/job/master/832//JDK8_Nightly_Build_Report_(Hadoop3)/] (x) {color:red}-1 source release artifact{color} -- See build output for details. (x) {color:red}-1 client integration test{color} -- Something went wrong with this stage, [check relevant console output|https://builds.apache.org/job/HBase%20Nightly/job/master/832//console]. > [acl] Superuser's permissions should not be granted or revoked by any non-su > global admin > - > > Key: HBASE-21481 > URL: https://issues.apache.org/jira/browse/HBASE-21481 > Project: HBase > Issue Type: Improvement >Reporter: Reid Chan >Assignee: Reid Chan >Priority: Major > Labels: ACL, security-issue > Fix For: 3.0.0, 2.2.0, 2.3.0 > > Attachments: HBASE-21481.master.001.patch, > HBASE-21481.master.002.patch, HBASE-21481.master.003.patch, > HBASE-21481.master.004.patch, HBASE-21481.master.005.patch, > HBASE-21481.master.006.patch, HBASE-21481.master.007.patch, > HBASE-21481.master.008.patch, HBASE-21481.master.009.patch, > HBASE-21481.master.010.patch, HBASE-21481.master.011.patch, > HBASE-21481.master.012.patch, HBASE-21481.master.013.patch, > HBASE-21481.master.014.patch, HBASE-21481.master.014.patch, > HBASE-21481.master.014.patch > > > Superusers are {{hbase.superuser}} listed in configuration and plus the one > who start master process, these two may be overlap. > A superuser must be a global admin, but a global admin may not be a > superuser, possibly granted afterwards. > For now, an non-su global admin with a Global.ADMIN permission can grant or > revoke any superuser's permission, accidentally or deliberately. > The purpose of this issue is to ban this action. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (HBASE-21481) [acl] Superuser's permissions should not be granted or revoked by any non-su global admin
[ https://issues.apache.org/jira/browse/HBASE-21481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16782202#comment-16782202 ] Hudson commented on HBASE-21481: Results for branch branch-2 [build #1720 on builds.a.o|https://builds.apache.org/job/HBase%20Nightly/job/branch-2/1720/]: (x) *{color:red}-1 overall{color}* details (if available): (x) {color:red}-1 general checks{color} -- For more information [see general report|https://builds.apache.org/job/HBase%20Nightly/job/branch-2/1720//General_Nightly_Build_Report/] (x) {color:red}-1 jdk8 hadoop2 checks{color} -- For more information [see jdk8 (hadoop2) report|https://builds.apache.org/job/HBase%20Nightly/job/branch-2/1720//JDK8_Nightly_Build_Report_(Hadoop2)/] (/) {color:green}+1 jdk8 hadoop3 checks{color} -- For more information [see jdk8 (hadoop3) report|https://builds.apache.org/job/HBase%20Nightly/job/branch-2/1720//JDK8_Nightly_Build_Report_(Hadoop3)/] (x) {color:red}-1 source release artifact{color} -- See build output for details. (x) {color:red}-1 client integration test{color} -- Something went wrong with this stage, [check relevant console output|https://builds.apache.org/job/HBase%20Nightly/job/branch-2/1720//console]. > [acl] Superuser's permissions should not be granted or revoked by any non-su > global admin > - > > Key: HBASE-21481 > URL: https://issues.apache.org/jira/browse/HBASE-21481 > Project: HBase > Issue Type: Improvement >Reporter: Reid Chan >Assignee: Reid Chan >Priority: Major > Labels: ACL, security-issue > Fix For: 3.0.0, 2.2.0, 2.3.0 > > Attachments: HBASE-21481.master.001.patch, > HBASE-21481.master.002.patch, HBASE-21481.master.003.patch, > HBASE-21481.master.004.patch, HBASE-21481.master.005.patch, > HBASE-21481.master.006.patch, HBASE-21481.master.007.patch, > HBASE-21481.master.008.patch, HBASE-21481.master.009.patch, > HBASE-21481.master.010.patch, HBASE-21481.master.011.patch, > HBASE-21481.master.012.patch, HBASE-21481.master.013.patch, > HBASE-21481.master.014.patch, HBASE-21481.master.014.patch, > HBASE-21481.master.014.patch > > > Superusers are {{hbase.superuser}} listed in configuration and plus the one > who start master process, these two may be overlap. > A superuser must be a global admin, but a global admin may not be a > superuser, possibly granted afterwards. > For now, an non-su global admin with a Global.ADMIN permission can grant or > revoke any superuser's permission, accidentally or deliberately. > The purpose of this issue is to ban this action. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (HBASE-21481) [acl] Superuser's permissions should not be granted or revoked by any non-su global admin
[ https://issues.apache.org/jira/browse/HBASE-21481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16782150#comment-16782150 ] Hudson commented on HBASE-21481: Results for branch branch-2.2 [build #75 on builds.a.o|https://builds.apache.org/job/HBase%20Nightly/job/branch-2.2/75/]: (x) *{color:red}-1 overall{color}* details (if available): (x) {color:red}-1 general checks{color} -- For more information [see general report|https://builds.apache.org/job/HBase%20Nightly/job/branch-2.2/75//General_Nightly_Build_Report/] (x) {color:red}-1 jdk8 hadoop2 checks{color} -- For more information [see jdk8 (hadoop2) report|https://builds.apache.org/job/HBase%20Nightly/job/branch-2.2/75//JDK8_Nightly_Build_Report_(Hadoop2)/] (x) {color:red}-1 jdk8 hadoop3 checks{color} -- For more information [see jdk8 (hadoop3) report|https://builds.apache.org/job/HBase%20Nightly/job/branch-2.2/75//JDK8_Nightly_Build_Report_(Hadoop3)/] (x) {color:red}-1 source release artifact{color} -- See build output for details. (x) {color:red}-1 client integration test{color} -- Something went wrong with this stage, [check relevant console output|https://builds.apache.org/job/HBase%20Nightly/job/branch-2.2/75//console]. > [acl] Superuser's permissions should not be granted or revoked by any non-su > global admin > - > > Key: HBASE-21481 > URL: https://issues.apache.org/jira/browse/HBASE-21481 > Project: HBase > Issue Type: Improvement >Reporter: Reid Chan >Assignee: Reid Chan >Priority: Major > Labels: ACL, security-issue > Fix For: 3.0.0, 2.2.0, 2.3.0 > > Attachments: HBASE-21481.master.001.patch, > HBASE-21481.master.002.patch, HBASE-21481.master.003.patch, > HBASE-21481.master.004.patch, HBASE-21481.master.005.patch, > HBASE-21481.master.006.patch, HBASE-21481.master.007.patch, > HBASE-21481.master.008.patch, HBASE-21481.master.009.patch, > HBASE-21481.master.010.patch, HBASE-21481.master.011.patch, > HBASE-21481.master.012.patch, HBASE-21481.master.013.patch, > HBASE-21481.master.014.patch, HBASE-21481.master.014.patch, > HBASE-21481.master.014.patch > > > Superusers are {{hbase.superuser}} listed in configuration and plus the one > who start master process, these two may be overlap. > A superuser must be a global admin, but a global admin may not be a > superuser, possibly granted afterwards. > For now, an non-su global admin with a Global.ADMIN permission can grant or > revoke any superuser's permission, accidentally or deliberately. > The purpose of this issue is to ban this action. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (HBASE-21481) [acl] Superuser's permissions should not be granted or revoked by any non-su global admin
[ https://issues.apache.org/jira/browse/HBASE-21481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16781603#comment-16781603 ] Hadoop QA commented on HBASE-21481: --- | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 13s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:green}+1{color} | {color:green} hbaseanti {color} | {color:green} 0m 0s{color} | {color:green} Patch does not have any anti-patterns. {color} | | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 2 new or modified test files. {color} | || || || || {color:brown} master Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 26s{color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 4m 17s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 2m 31s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 1m 41s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} shadedjars {color} | {color:green} 4m 32s{color} | {color:green} branch has no errors when building our shaded downstream artifacts. {color} | | {color:blue}0{color} | {color:blue} findbugs {color} | {color:blue} 2m 27s{color} | {color:blue} hbase-server in master has 1 extant Findbugs warnings. {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 48s{color} | {color:green} master passed {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 14s{color} | {color:blue} Maven dependency ordering for patch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 4m 9s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 2m 33s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 2m 33s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 1m 38s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} shadedjars {color} | {color:green} 4m 33s{color} | {color:green} patch has no errors when building our shaded downstream artifacts. {color} | | {color:green}+1{color} | {color:green} hadoopcheck {color} | {color:green} 8m 51s{color} | {color:green} Patch does not cause any errors with Hadoop 2.7.4 or 3.0.0. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 3m 27s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 51s{color} | {color:green} the patch passed {color} | || || || || {color:brown} Other Tests {color} || | {color:green}+1{color} | {color:green} unit {color} | {color:green} 2m 35s{color} | {color:green} hbase-common in the patch passed. {color} | | {color:red}-1{color} | {color:red} unit {color} | {color:red}140m 22s{color} | {color:red} hbase-server in the patch failed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 38s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black}188m 8s{color} | {color:black} {color} | \\ \\ || Reason || Tests || | Failed junit tests | hadoop.hbase.client.TestAsyncTableGetMultiThreaded | \\ \\ || Subsystem || Report/Notes || | Docker | Client=17.05.0-ce Server=17.05.0-ce Image:yetus/hbase:b002b0b | | JIRA Issue | HBASE-21481 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12960743/HBASE-21481.master.014.patch | | Optional Tests | dupname asflicense javac javadoc unit findbugs shadedjars hadoopcheck hbaseanti checkstyle compile | | uname | Linux 927c85b0fb09 4.4.0-139-generic #165~14.04.1-Ubuntu SMP Wed Oct 31 10:55:11 UTC 2018 x86_64 GNU/Linux | | Build tool | maven | | Personality | /home/jenkins/jenkins-slave/workspace/PreCommit-HBASE-Build/component/dev-support/hbase-personality.sh | | git revision | master / fd152c265e | |
[jira] [Commented] (HBASE-21481) [acl] Superuser's permissions should not be granted or revoked by any non-su global admin
[ https://issues.apache.org/jira/browse/HBASE-21481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16781523#comment-16781523 ] Guanghao Zhang commented on HBASE-21481: The failed ut not realted and they failed frequently in precommit job. Feel free to commit it to branch-2.2+. > [acl] Superuser's permissions should not be granted or revoked by any non-su > global admin > - > > Key: HBASE-21481 > URL: https://issues.apache.org/jira/browse/HBASE-21481 > Project: HBase > Issue Type: Improvement >Reporter: Reid Chan >Assignee: Reid Chan >Priority: Major > Labels: ACL, security-issue > Fix For: 3.0.0, 2.2.0, 2.3.0 > > Attachments: HBASE-21481.master.001.patch, > HBASE-21481.master.002.patch, HBASE-21481.master.003.patch, > HBASE-21481.master.004.patch, HBASE-21481.master.005.patch, > HBASE-21481.master.006.patch, HBASE-21481.master.007.patch, > HBASE-21481.master.008.patch, HBASE-21481.master.009.patch, > HBASE-21481.master.010.patch, HBASE-21481.master.011.patch, > HBASE-21481.master.012.patch, HBASE-21481.master.013.patch, > HBASE-21481.master.014.patch, HBASE-21481.master.014.patch, > HBASE-21481.master.014.patch > > > Superusers are {{hbase.superuser}} listed in configuration and plus the one > who start master process, these two may be overlap. > A superuser must be a global admin, but a global admin may not be a > superuser, possibly granted afterwards. > For now, an non-su global admin with a Global.ADMIN permission can grant or > revoke any superuser's permission, accidentally or deliberately. > The purpose of this issue is to ban this action. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (HBASE-21481) [acl] Superuser's permissions should not be granted or revoked by any non-su global admin
[ https://issues.apache.org/jira/browse/HBASE-21481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16781461#comment-16781461 ] Reid Chan commented on HBASE-21481: --- Looks like some of tests are not very stable. Shall i try again. > [acl] Superuser's permissions should not be granted or revoked by any non-su > global admin > - > > Key: HBASE-21481 > URL: https://issues.apache.org/jira/browse/HBASE-21481 > Project: HBase > Issue Type: Improvement >Reporter: Reid Chan >Assignee: Reid Chan >Priority: Major > Labels: ACL, security-issue > Fix For: 3.0.0, 2.2.0, 2.3.0 > > Attachments: HBASE-21481.master.001.patch, > HBASE-21481.master.002.patch, HBASE-21481.master.003.patch, > HBASE-21481.master.004.patch, HBASE-21481.master.005.patch, > HBASE-21481.master.006.patch, HBASE-21481.master.007.patch, > HBASE-21481.master.008.patch, HBASE-21481.master.009.patch, > HBASE-21481.master.010.patch, HBASE-21481.master.011.patch, > HBASE-21481.master.012.patch, HBASE-21481.master.013.patch, > HBASE-21481.master.014.patch, HBASE-21481.master.014.patch > > > Superusers are {{hbase.superuser}} listed in configuration and plus the one > who start master process, these two may be overlap. > A superuser must be a global admin, but a global admin may not be a > superuser, possibly granted afterwards. > For now, an non-su global admin with a Global.ADMIN permission can grant or > revoke any superuser's permission, accidentally or deliberately. > The purpose of this issue is to ban this action. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (HBASE-21481) [acl] Superuser's permissions should not be granted or revoked by any non-su global admin
[ https://issues.apache.org/jira/browse/HBASE-21481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16781362#comment-16781362 ] Hadoop QA commented on HBASE-21481: --- | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 32s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:green}+1{color} | {color:green} hbaseanti {color} | {color:green} 0m 0s{color} | {color:green} Patch does not have any anti-patterns. {color} | | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 2 new or modified test files. {color} | || || || || {color:brown} master Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 34s{color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 4m 20s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 2m 32s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 1m 40s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} shadedjars {color} | {color:green} 4m 31s{color} | {color:green} branch has no errors when building our shaded downstream artifacts. {color} | | {color:blue}0{color} | {color:blue} findbugs {color} | {color:blue} 2m 18s{color} | {color:blue} hbase-server in master has 1 extant Findbugs warnings. {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 48s{color} | {color:green} master passed {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 14s{color} | {color:blue} Maven dependency ordering for patch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 4m 11s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 2m 35s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 2m 35s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 1m 42s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} shadedjars {color} | {color:green} 4m 30s{color} | {color:green} patch has no errors when building our shaded downstream artifacts. {color} | | {color:green}+1{color} | {color:green} hadoopcheck {color} | {color:green} 9m 7s{color} | {color:green} Patch does not cause any errors with Hadoop 2.7.4 or 3.0.0. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 3m 25s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 50s{color} | {color:green} the patch passed {color} | || || || || {color:brown} Other Tests {color} || | {color:green}+1{color} | {color:green} unit {color} | {color:green} 2m 33s{color} | {color:green} hbase-common in the patch passed. {color} | | {color:red}-1{color} | {color:red} unit {color} | {color:red}221m 5s{color} | {color:red} hbase-server in the patch failed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 42s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black}269m 37s{color} | {color:black} {color} | \\ \\ || Reason || Tests || | Failed junit tests | hadoop.hbase.replication.TestReplicationSyncUpTool | | | hadoop.hbase.master.procedure.TestSCPWithReplicas | | | hadoop.hbase.master.procedure.TestSCPWithReplicasWithoutZKCoordinated | \\ \\ || Subsystem || Report/Notes || | Docker | Client=17.05.0-ce Server=17.05.0-ce Image:yetus/hbase:b002b0b | | JIRA Issue | HBASE-21481 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12960705/HBASE-21481.master.014.patch | | Optional Tests | dupname asflicense javac javadoc unit findbugs shadedjars hadoopcheck hbaseanti checkstyle compile | | uname | Linux 484555e32497 4.4.0-138-generic #164~14.04.1-Ubuntu SMP Fri Oct 5 08:56:16 UTC 2018 x86_64 GNU/Linux | | Build tool | maven | | Personality |
[jira] [Commented] (HBASE-21481) [acl] Superuser's permissions should not be granted or revoked by any non-su global admin
[ https://issues.apache.org/jira/browse/HBASE-21481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16780580#comment-16780580 ] Hadoop QA commented on HBASE-21481: --- | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 21s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:green}+1{color} | {color:green} hbaseanti {color} | {color:green} 0m 0s{color} | {color:green} Patch does not have any anti-patterns. {color} | | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 2 new or modified test files. {color} | || || || || {color:brown} master Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 22s{color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 3m 42s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 2m 19s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 1m 30s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} shadedjars {color} | {color:green} 4m 10s{color} | {color:green} branch has no errors when building our shaded downstream artifacts. {color} | | {color:blue}0{color} | {color:blue} findbugs {color} | {color:blue} 2m 16s{color} | {color:blue} hbase-server in master has 1 extant Findbugs warnings. {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 46s{color} | {color:green} master passed {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 14s{color} | {color:blue} Maven dependency ordering for patch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 3m 44s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 2m 22s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 2m 22s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 1m 29s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} shadedjars {color} | {color:green} 4m 10s{color} | {color:green} patch has no errors when building our shaded downstream artifacts. {color} | | {color:green}+1{color} | {color:green} hadoopcheck {color} | {color:green} 7m 57s{color} | {color:green} Patch does not cause any errors with Hadoop 2.7.4 or 3.0.0. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 3m 10s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 47s{color} | {color:green} the patch passed {color} | || || || || {color:brown} Other Tests {color} || | {color:green}+1{color} | {color:green} unit {color} | {color:green} 2m 45s{color} | {color:green} hbase-common in the patch passed. {color} | | {color:red}-1{color} | {color:red} unit {color} | {color:red}290m 36s{color} | {color:red} hbase-server in the patch failed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 39s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black}334m 43s{color} | {color:black} {color} | \\ \\ || Reason || Tests || | Failed junit tests | hadoop.hbase.master.procedure.TestServerCrashProcedure | | | hadoop.hbase.client.TestSnapshotTemporaryDirectory | | | hadoop.hbase.client.TestAsyncTableAdminApi | | | hadoop.hbase.client.TestFromClientSide3 | | | hadoop.hbase.client.TestSnapshotTemporaryDirectoryWithRegionReplicas | | | hadoop.hbase.client.TestSnapshotDFSTemporaryDirectory | | | hadoop.hbase.client.replication.TestReplicationAdminWithClusters | | | hadoop.hbase.regionserver.TestSplitTransactionOnCluster | | | hadoop.hbase.TestClientOperationTimeout | | | hadoop.hbase.client.TestCloneSnapshotFromClientNormal | | | hadoop.hbase.master.TestSplitWALManager | | | hadoop.hbase.master.procedure.TestServerCrashProcedureWithReplicas | | |
[jira] [Commented] (HBASE-21481) [acl] Superuser's permissions should not be granted or revoked by any non-su global admin
[ https://issues.apache.org/jira/browse/HBASE-21481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16780285#comment-16780285 ] Guanghao Zhang commented on HBASE-21481: +1 for 014 patch. Let's wait the HADOOP QA result. > [acl] Superuser's permissions should not be granted or revoked by any non-su > global admin > - > > Key: HBASE-21481 > URL: https://issues.apache.org/jira/browse/HBASE-21481 > Project: HBase > Issue Type: Improvement >Reporter: Reid Chan >Assignee: Reid Chan >Priority: Major > Labels: ACL, security-issue > Fix For: 3.0.0, 2.2.0, 2.3.0 > > Attachments: HBASE-21481.master.001.patch, > HBASE-21481.master.002.patch, HBASE-21481.master.003.patch, > HBASE-21481.master.004.patch, HBASE-21481.master.005.patch, > HBASE-21481.master.006.patch, HBASE-21481.master.007.patch, > HBASE-21481.master.008.patch, HBASE-21481.master.009.patch, > HBASE-21481.master.010.patch, HBASE-21481.master.011.patch, > HBASE-21481.master.012.patch, HBASE-21481.master.013.patch, > HBASE-21481.master.014.patch > > > Superusers are {{hbase.superuser}} listed in configuration and plus the one > who start master process, these two may be overlap. > A superuser must be a global admin, but a global admin may not be a > superuser, possibly granted afterwards. > For now, an non-su global admin with a Global.ADMIN permission can grant or > revoke any superuser's permission, accidentally or deliberately. > The purpose of this issue is to ban this action. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (HBASE-21481) [acl] Superuser's permissions should not be granted or revoked by any non-su global admin
[ https://issues.apache.org/jira/browse/HBASE-21481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16780276#comment-16780276 ] Reid Chan commented on HBASE-21481: --- There're some changes in tests to suit behavior {{skip the super user check if the caller is a super user}}. All tests in {{TestRpcAccessChecks}} passed on local. > [acl] Superuser's permissions should not be granted or revoked by any non-su > global admin > - > > Key: HBASE-21481 > URL: https://issues.apache.org/jira/browse/HBASE-21481 > Project: HBase > Issue Type: Improvement >Reporter: Reid Chan >Assignee: Reid Chan >Priority: Major > Labels: ACL, security-issue > Fix For: 3.0.0, 2.2.0, 2.3.0 > > Attachments: HBASE-21481.master.001.patch, > HBASE-21481.master.002.patch, HBASE-21481.master.003.patch, > HBASE-21481.master.004.patch, HBASE-21481.master.005.patch, > HBASE-21481.master.006.patch, HBASE-21481.master.007.patch, > HBASE-21481.master.008.patch, HBASE-21481.master.009.patch, > HBASE-21481.master.010.patch, HBASE-21481.master.011.patch, > HBASE-21481.master.012.patch, HBASE-21481.master.013.patch, > HBASE-21481.master.014.patch > > > Superusers are {{hbase.superuser}} listed in configuration and plus the one > who start master process, these two may be overlap. > A superuser must be a global admin, but a global admin may not be a > superuser, possibly granted afterwards. > For now, an non-su global admin with a Global.ADMIN permission can grant or > revoke any superuser's permission, accidentally or deliberately. > The purpose of this issue is to ban this action. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (HBASE-21481) [acl] Superuser's permissions should not be granted or revoked by any non-su global admin
[ https://issues.apache.org/jira/browse/HBASE-21481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16780271#comment-16780271 ] Hadoop QA commented on HBASE-21481: --- | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 26s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:green}+1{color} | {color:green} hbaseanti {color} | {color:green} 0m 0s{color} | {color:green} Patch does not have any anti-patterns. {color} | | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 2 new or modified test files. {color} | || || || || {color:brown} master Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 29s{color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 4m 40s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 2m 31s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 1m 38s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} shadedjars {color} | {color:green} 4m 30s{color} | {color:green} branch has no errors when building our shaded downstream artifacts. {color} | | {color:blue}0{color} | {color:blue} findbugs {color} | {color:blue} 2m 31s{color} | {color:blue} hbase-server in master has 1 extant Findbugs warnings. {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 49s{color} | {color:green} master passed {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 14s{color} | {color:blue} Maven dependency ordering for patch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 4m 5s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 2m 24s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 2m 24s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 1m 36s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} shadedjars {color} | {color:green} 4m 21s{color} | {color:green} patch has no errors when building our shaded downstream artifacts. {color} | | {color:green}+1{color} | {color:green} hadoopcheck {color} | {color:green} 8m 28s{color} | {color:green} Patch does not cause any errors with Hadoop 2.7.4 or 3.0.0. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 3m 22s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 48s{color} | {color:green} the patch passed {color} | || || || || {color:brown} Other Tests {color} || | {color:green}+1{color} | {color:green} unit {color} | {color:green} 2m 28s{color} | {color:green} hbase-common in the patch passed. {color} | | {color:red}-1{color} | {color:red} unit {color} | {color:red}241m 0s{color} | {color:red} hbase-server in the patch failed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 44s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black}288m 37s{color} | {color:black} {color} | \\ \\ || Reason || Tests || | Failed junit tests | hadoop.hbase.master.procedure.TestServerCrashProcedure | | | hadoop.hbase.master.procedure.TestServerCrashProcedureWithReplicas | | | hadoop.hbase.master.TestSplitWALManager | \\ \\ || Subsystem || Report/Notes || | Docker | Client=17.05.0-ce Server=17.05.0-ce Image:yetus/hbase:b002b0b | | JIRA Issue | HBASE-21481 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12960520/HBASE-21481.master.013.patch | | Optional Tests | dupname asflicense javac javadoc unit findbugs shadedjars hadoopcheck hbaseanti checkstyle compile | | uname | Linux 20db1a00d333 3.13.0-153-generic #203-Ubuntu SMP Thu Jun 14 08:52:28 UTC 2018 x86_64 GNU/Linux | | Build tool | maven | | Personality |
[jira] [Commented] (HBASE-21481) [acl] Superuser's permissions should not be granted or revoked by any non-su global admin
[ https://issues.apache.org/jira/browse/HBASE-21481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16780140#comment-16780140 ] Hadoop QA commented on HBASE-21481: --- | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 13s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:green}+1{color} | {color:green} hbaseanti {color} | {color:green} 0m 0s{color} | {color:green} Patch does not have any anti-patterns. {color} | | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 2 new or modified test files. {color} | || || || || {color:brown} master Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 33s{color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 5m 6s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 3m 2s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 1m 59s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} shadedjars {color} | {color:green} 5m 18s{color} | {color:green} branch has no errors when building our shaded downstream artifacts. {color} | | {color:blue}0{color} | {color:blue} findbugs {color} | {color:blue} 3m 4s{color} | {color:blue} hbase-server in master has 1 extant Findbugs warnings. {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 57s{color} | {color:green} master passed {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 16s{color} | {color:blue} Maven dependency ordering for patch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 4m 37s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 2m 52s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 2m 52s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 1m 48s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} shadedjars {color} | {color:green} 4m 55s{color} | {color:green} patch has no errors when building our shaded downstream artifacts. {color} | | {color:green}+1{color} | {color:green} hadoopcheck {color} | {color:green} 9m 15s{color} | {color:green} Patch does not cause any errors with Hadoop 2.7.4 or 3.0.0. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 4m 18s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 1m 0s{color} | {color:green} the patch passed {color} | || || || || {color:brown} Other Tests {color} || | {color:green}+1{color} | {color:green} unit {color} | {color:green} 2m 53s{color} | {color:green} hbase-common in the patch passed. {color} | | {color:red}-1{color} | {color:red} unit {color} | {color:red}136m 59s{color} | {color:red} hbase-server in the patch failed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 40s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black}191m 26s{color} | {color:black} {color} | \\ \\ || Reason || Tests || | Failed junit tests | hadoop.hbase.security.access.TestRpcAccessChecks | \\ \\ || Subsystem || Report/Notes || | Docker | Client=17.05.0-ce Server=17.05.0-ce Image:yetus/hbase:b002b0b | | JIRA Issue | HBASE-21481 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12960516/HBASE-21481.master.012.patch | | Optional Tests | dupname asflicense javac javadoc unit findbugs shadedjars hadoopcheck hbaseanti checkstyle compile | | uname | Linux fe8d215fa576 4.4.0-139-generic #165~14.04.1-Ubuntu SMP Wed Oct 31 10:55:11 UTC 2018 x86_64 GNU/Linux | | Build tool | maven | | Personality | /home/jenkins/jenkins-slave/workspace/PreCommit-HBASE-Build/component/dev-support/hbase-personality.sh | | git revision | master / 9370347efe | |
[jira] [Commented] (HBASE-21481) [acl] Superuser's permissions should not be granted or revoked by any non-su global admin
[ https://issues.apache.org/jira/browse/HBASE-21481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16780092#comment-16780092 ] Reid Chan commented on HBASE-21481: --- bq. For keep behavior compatible, maybe better to skip the super user check if the caller is a super user? It makes sense to me, +1, let's skip it. > [acl] Superuser's permissions should not be granted or revoked by any non-su > global admin > - > > Key: HBASE-21481 > URL: https://issues.apache.org/jira/browse/HBASE-21481 > Project: HBase > Issue Type: Improvement >Reporter: Reid Chan >Assignee: Reid Chan >Priority: Major > Labels: ACL, security-issue > Fix For: 3.0.0, 2.2.0, 2.3.0 > > Attachments: HBASE-21481.master.001.patch, > HBASE-21481.master.002.patch, HBASE-21481.master.003.patch, > HBASE-21481.master.004.patch, HBASE-21481.master.005.patch, > HBASE-21481.master.006.patch, HBASE-21481.master.007.patch, > HBASE-21481.master.008.patch, HBASE-21481.master.009.patch, > HBASE-21481.master.010.patch, HBASE-21481.master.011.patch, > HBASE-21481.master.012.patch, HBASE-21481.master.013.patch > > > Superusers are {{hbase.superuser}} listed in configuration and plus the one > who start master process, these two may be overlap. > A superuser must be a global admin, but a global admin may not be a > superuser, possibly granted afterwards. > For now, an non-su global admin with a Global.ADMIN permission can grant or > revoke any superuser's permission, accidentally or deliberately. > The purpose of this issue is to ban this action. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (HBASE-21481) [acl] Superuser's permissions should not be granted or revoked by any non-su global admin
[ https://issues.apache.org/jira/browse/HBASE-21481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16780087#comment-16780087 ] Guanghao Zhang commented on HBASE-21481: {quote}bq.So i want to keep it accord with other components. {quote} Ok. Let's keep it. For keep behavior compatible, maybe better to skip the super user check if the caller is a super user? > [acl] Superuser's permissions should not be granted or revoked by any non-su > global admin > - > > Key: HBASE-21481 > URL: https://issues.apache.org/jira/browse/HBASE-21481 > Project: HBase > Issue Type: Improvement >Reporter: Reid Chan >Assignee: Reid Chan >Priority: Major > Labels: ACL, security-issue > Fix For: 3.0.0, 2.2.0, 2.3.0 > > Attachments: HBASE-21481.master.001.patch, > HBASE-21481.master.002.patch, HBASE-21481.master.003.patch, > HBASE-21481.master.004.patch, HBASE-21481.master.005.patch, > HBASE-21481.master.006.patch, HBASE-21481.master.007.patch, > HBASE-21481.master.008.patch, HBASE-21481.master.009.patch, > HBASE-21481.master.010.patch, HBASE-21481.master.011.patch, > HBASE-21481.master.012.patch, HBASE-21481.master.013.patch > > > Superusers are {{hbase.superuser}} listed in configuration and plus the one > who start master process, these two may be overlap. > A superuser must be a global admin, but a global admin may not be a > superuser, possibly granted afterwards. > For now, an non-su global admin with a Global.ADMIN permission can grant or > revoke any superuser's permission, accidentally or deliberately. > The purpose of this issue is to ban this action. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (HBASE-21481) [acl] Superuser's permissions should not be granted or revoked by any non-su global admin
[ https://issues.apache.org/jira/browse/HBASE-21481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16780084#comment-16780084 ] Reid Chan commented on HBASE-21481: --- User is told to configured with '@'; In acl znode, the '@' is also kept; In AuthManager, '@' is also kept in PermissionCache. So i want to keep it accord with other components. WDYT? > [acl] Superuser's permissions should not be granted or revoked by any non-su > global admin > - > > Key: HBASE-21481 > URL: https://issues.apache.org/jira/browse/HBASE-21481 > Project: HBase > Issue Type: Improvement >Reporter: Reid Chan >Assignee: Reid Chan >Priority: Major > Labels: ACL, security-issue > Fix For: 3.0.0, 2.2.0, 2.3.0 > > Attachments: HBASE-21481.master.001.patch, > HBASE-21481.master.002.patch, HBASE-21481.master.003.patch, > HBASE-21481.master.004.patch, HBASE-21481.master.005.patch, > HBASE-21481.master.006.patch, HBASE-21481.master.007.patch, > HBASE-21481.master.008.patch, HBASE-21481.master.009.patch, > HBASE-21481.master.010.patch, HBASE-21481.master.011.patch, > HBASE-21481.master.012.patch, HBASE-21481.master.013.patch > > > Superusers are {{hbase.superuser}} listed in configuration and plus the one > who start master process, these two may be overlap. > A superuser must be a global admin, but a global admin may not be a > superuser, possibly granted afterwards. > For now, an non-su global admin with a Global.ADMIN permission can grant or > revoke any superuser's permission, accidentally or deliberately. > The purpose of this issue is to ban this action. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (HBASE-21481) [acl] Superuser's permissions should not be granted or revoked by any non-su global admin
[ https://issues.apache.org/jira/browse/HBASE-21481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16780078#comment-16780078 ] Guanghao Zhang commented on HBASE-21481: {quote}Yes, you're right. {quote} So no need to keep the '@' for distinguishing from user in SuperUsers? > [acl] Superuser's permissions should not be granted or revoked by any non-su > global admin > - > > Key: HBASE-21481 > URL: https://issues.apache.org/jira/browse/HBASE-21481 > Project: HBase > Issue Type: Improvement >Reporter: Reid Chan >Assignee: Reid Chan >Priority: Major > Labels: ACL, security-issue > Fix For: 3.0.0, 2.2.0, 2.3.0 > > Attachments: HBASE-21481.master.001.patch, > HBASE-21481.master.002.patch, HBASE-21481.master.003.patch, > HBASE-21481.master.004.patch, HBASE-21481.master.005.patch, > HBASE-21481.master.006.patch, HBASE-21481.master.007.patch, > HBASE-21481.master.008.patch, HBASE-21481.master.009.patch, > HBASE-21481.master.010.patch, HBASE-21481.master.011.patch, > HBASE-21481.master.012.patch, HBASE-21481.master.013.patch > > > Superusers are {{hbase.superuser}} listed in configuration and plus the one > who start master process, these two may be overlap. > A superuser must be a global admin, but a global admin may not be a > superuser, possibly granted afterwards. > For now, an non-su global admin with a Global.ADMIN permission can grant or > revoke any superuser's permission, accidentally or deliberately. > The purpose of this issue is to ban this action. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (HBASE-21481) [acl] Superuser's permissions should not be granted or revoked by any non-su global admin
[ https://issues.apache.org/jira/browse/HBASE-21481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16780062#comment-16780062 ] Reid Chan commented on HBASE-21481: --- bq. After this, a super user can't revoke his permission, too? Yes. bq. But before this, a super user can revoke his permission and can grant it back? Yes bq. The user param may already have GROUP_PREFIX? Yes, you're right. > [acl] Superuser's permissions should not be granted or revoked by any non-su > global admin > - > > Key: HBASE-21481 > URL: https://issues.apache.org/jira/browse/HBASE-21481 > Project: HBase > Issue Type: Improvement >Reporter: Reid Chan >Assignee: Reid Chan >Priority: Major > Labels: ACL, security-issue > Fix For: 3.0.0, 2.2.0, 2.3.0 > > Attachments: HBASE-21481.master.001.patch, > HBASE-21481.master.002.patch, HBASE-21481.master.003.patch, > HBASE-21481.master.004.patch, HBASE-21481.master.005.patch, > HBASE-21481.master.006.patch, HBASE-21481.master.007.patch, > HBASE-21481.master.008.patch, HBASE-21481.master.009.patch, > HBASE-21481.master.010.patch, HBASE-21481.master.011.patch, > HBASE-21481.master.012.patch > > > Superusers are {{hbase.superuser}} listed in configuration and plus the one > who start master process, these two may be overlap. > A superuser must be a global admin, but a global admin may not be a > superuser, possibly granted afterwards. > For now, an non-su global admin with a Global.ADMIN permission can grant or > revoke any superuser's permission, accidentally or deliberately. > The purpose of this issue is to ban this action. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (HBASE-21481) [acl] Superuser's permissions should not be granted or revoked by any non-su global admin
[ https://issues.apache.org/jira/browse/HBASE-21481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16780051#comment-16780051 ] Guanghao Zhang commented on HBASE-21481: {code:java} public static boolean isSuperUser(String user) { return superUsers.contains(user) || superGroups.contains(AuthUtil.toGroupEntry(user)); } {code} The user param may already have GROUP_PREFIX? There arleady have a group principal check in AccessChecker#performOnSuperuser method. > [acl] Superuser's permissions should not be granted or revoked by any non-su > global admin > - > > Key: HBASE-21481 > URL: https://issues.apache.org/jira/browse/HBASE-21481 > Project: HBase > Issue Type: Improvement >Reporter: Reid Chan >Assignee: Reid Chan >Priority: Major > Labels: ACL, security-issue > Fix For: 3.0.0, 2.2.0, 2.3.0 > > Attachments: HBASE-21481.master.001.patch, > HBASE-21481.master.002.patch, HBASE-21481.master.003.patch, > HBASE-21481.master.004.patch, HBASE-21481.master.005.patch, > HBASE-21481.master.006.patch, HBASE-21481.master.007.patch, > HBASE-21481.master.008.patch, HBASE-21481.master.009.patch, > HBASE-21481.master.010.patch, HBASE-21481.master.011.patch, > HBASE-21481.master.012.patch > > > Superusers are {{hbase.superuser}} listed in configuration and plus the one > who start master process, these two may be overlap. > A superuser must be a global admin, but a global admin may not be a > superuser, possibly granted afterwards. > For now, an non-su global admin with a Global.ADMIN permission can grant or > revoke any superuser's permission, accidentally or deliberately. > The purpose of this issue is to ban this action. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (HBASE-21481) [acl] Superuser's permissions should not be granted or revoked by any non-su global admin
[ https://issues.apache.org/jira/browse/HBASE-21481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16780048#comment-16780048 ] Guanghao Zhang commented on HBASE-21481: v12 patch looks good. But there is one problem need to confirm. After this, a super user can't revoke his permission, too? But before this, a super user can revoke his permission and can grant it back? > [acl] Superuser's permissions should not be granted or revoked by any non-su > global admin > - > > Key: HBASE-21481 > URL: https://issues.apache.org/jira/browse/HBASE-21481 > Project: HBase > Issue Type: Improvement >Reporter: Reid Chan >Assignee: Reid Chan >Priority: Major > Labels: ACL, security-issue > Fix For: 3.0.0, 2.2.0, 2.3.0 > > Attachments: HBASE-21481.master.001.patch, > HBASE-21481.master.002.patch, HBASE-21481.master.003.patch, > HBASE-21481.master.004.patch, HBASE-21481.master.005.patch, > HBASE-21481.master.006.patch, HBASE-21481.master.007.patch, > HBASE-21481.master.008.patch, HBASE-21481.master.009.patch, > HBASE-21481.master.010.patch, HBASE-21481.master.011.patch, > HBASE-21481.master.012.patch > > > Superusers are {{hbase.superuser}} listed in configuration and plus the one > who start master process, these two may be overlap. > A superuser must be a global admin, but a global admin may not be a > superuser, possibly granted afterwards. > For now, an non-su global admin with a Global.ADMIN permission can grant or > revoke any superuser's permission, accidentally or deliberately. > The purpose of this issue is to ban this action. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (HBASE-21481) [acl] Superuser's permissions should not be granted or revoked by any non-su global admin
[ https://issues.apache.org/jira/browse/HBASE-21481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16780035#comment-16780035 ] Reid Chan commented on HBASE-21481: --- I uploaded a wrong patch. (facepalm) Reattached v12 patch. > [acl] Superuser's permissions should not be granted or revoked by any non-su > global admin > - > > Key: HBASE-21481 > URL: https://issues.apache.org/jira/browse/HBASE-21481 > Project: HBase > Issue Type: Improvement >Reporter: Reid Chan >Assignee: Reid Chan >Priority: Major > Labels: ACL, security-issue > Fix For: 3.0.0, 2.2.0, 2.3.0 > > Attachments: HBASE-21481.master.001.patch, > HBASE-21481.master.002.patch, HBASE-21481.master.003.patch, > HBASE-21481.master.004.patch, HBASE-21481.master.005.patch, > HBASE-21481.master.006.patch, HBASE-21481.master.007.patch, > HBASE-21481.master.008.patch, HBASE-21481.master.009.patch, > HBASE-21481.master.010.patch, HBASE-21481.master.011.patch, > HBASE-21481.master.012.patch > > > Superusers are {{hbase.superuser}} listed in configuration and plus the one > who start master process, these two may be overlap. > A superuser must be a global admin, but a global admin may not be a > superuser, possibly granted afterwards. > For now, an non-su global admin with a Global.ADMIN permission can grant or > revoke any superuser's permission, accidentally or deliberately. > The purpose of this issue is to ban this action. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (HBASE-21481) [acl] Superuser's permissions should not be granted or revoked by any non-su global admin
[ https://issues.apache.org/jira/browse/HBASE-21481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16780022#comment-16780022 ] Guanghao Zhang commented on HBASE-21481: [~reidchan] The 012 patch is not related to this issue? > [acl] Superuser's permissions should not be granted or revoked by any non-su > global admin > - > > Key: HBASE-21481 > URL: https://issues.apache.org/jira/browse/HBASE-21481 > Project: HBase > Issue Type: Improvement >Reporter: Reid Chan >Assignee: Reid Chan >Priority: Major > Labels: ACL, security-issue > Fix For: 3.0.0, 2.2.0, 2.3.0 > > Attachments: HBASE-20993.branch-1.012.patch, > HBASE-21481.master.001.patch, HBASE-21481.master.002.patch, > HBASE-21481.master.003.patch, HBASE-21481.master.004.patch, > HBASE-21481.master.005.patch, HBASE-21481.master.006.patch, > HBASE-21481.master.007.patch, HBASE-21481.master.008.patch, > HBASE-21481.master.009.patch, HBASE-21481.master.010.patch, > HBASE-21481.master.011.patch > > > Superusers are {{hbase.superuser}} listed in configuration and plus the one > who start master process, these two may be overlap. > A superuser must be a global admin, but a global admin may not be a > superuser, possibly granted afterwards. > For now, an non-su global admin with a Global.ADMIN permission can grant or > revoke any superuser's permission, accidentally or deliberately. > The purpose of this issue is to ban this action. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (HBASE-21481) [acl] Superuser's permissions should not be granted or revoked by any non-su global admin
[ https://issues.apache.org/jira/browse/HBASE-21481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16779350#comment-16779350 ] Hadoop QA commented on HBASE-21481: --- | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 21s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:blue}0{color} | {color:blue} findbugs {color} | {color:blue} 0m 1s{color} | {color:blue} Findbugs executables are not available. {color} | | {color:green}+1{color} | {color:green} hbaseanti {color} | {color:green} 0m 0s{color} | {color:green} Patch does not have any anti-patterns. {color} | | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 1 new or modified test files. {color} | || || || || {color:brown} branch-1 Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 1m 21s{color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 6m 38s{color} | {color:green} branch-1 passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m 50s{color} | {color:green} branch-1 passed with JDK v1.8.0_201 {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m 55s{color} | {color:green} branch-1 passed with JDK v1.7.0_201 {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 1m 46s{color} | {color:green} branch-1 passed {color} | | {color:green}+1{color} | {color:green} shadedjars {color} | {color:green} 2m 30s{color} | {color:green} branch has no errors when building our shaded downstream artifacts. {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 42s{color} | {color:green} branch-1 passed with JDK v1.8.0_201 {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 55s{color} | {color:green} branch-1 passed with JDK v1.7.0_201 {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 14s{color} | {color:blue} Maven dependency ordering for patch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 1m 34s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m 47s{color} | {color:green} the patch passed with JDK v1.8.0_201 {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 0m 47s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m 54s{color} | {color:green} the patch passed with JDK v1.7.0_201 {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 0m 54s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m 29s{color} | {color:green} hbase-client: The patch generated 0 new + 1 unchanged - 1 fixed = 1 total (was 2) {color} | | {color:red}-1{color} | {color:red} checkstyle {color} | {color:red} 1m 15s{color} | {color:red} hbase-server: The patch generated 1 new + 76 unchanged - 0 fixed = 77 total (was 76) {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} shadedjars {color} | {color:green} 2m 28s{color} | {color:green} patch has no errors when building our shaded downstream artifacts. {color} | | {color:green}+1{color} | {color:green} hadoopcheck {color} | {color:green} 1m 34s{color} | {color:green} Patch does not cause any errors with Hadoop 2.7.4. {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 41s{color} | {color:green} the patch passed with JDK v1.8.0_201 {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 57s{color} | {color:green} the patch passed with JDK v1.7.0_201 {color} | || || || || {color:brown} Other Tests {color} || | {color:green}+1{color} | {color:green} unit {color} | {color:green} 2m 30s{color} | {color:green} hbase-client in the patch passed. {color} | | {color:red}-1{color} | {color:red} unit {color} | {color:red} 28m 35s{color} | {color:red} hbase-server in the patch failed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 23s{color} | {color:green} The patch does not generate ASF
[jira] [Commented] (HBASE-21481) [acl] Superuser's permissions should not be granted or revoked by any non-su global admin
[ https://issues.apache.org/jira/browse/HBASE-21481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16779209#comment-16779209 ] Reid Chan commented on HBASE-21481: --- v12 removed super user information from {{AuthManager}}, and reused those information in {{Superusers}}. > [acl] Superuser's permissions should not be granted or revoked by any non-su > global admin > - > > Key: HBASE-21481 > URL: https://issues.apache.org/jira/browse/HBASE-21481 > Project: HBase > Issue Type: Improvement >Reporter: Reid Chan >Assignee: Reid Chan >Priority: Major > Labels: ACL, security-issue > Fix For: 3.0.0, 2.2.0, 2.3.0 > > Attachments: HBASE-20993.branch-1.012.patch, > HBASE-21481.master.001.patch, HBASE-21481.master.002.patch, > HBASE-21481.master.003.patch, HBASE-21481.master.004.patch, > HBASE-21481.master.005.patch, HBASE-21481.master.006.patch, > HBASE-21481.master.007.patch, HBASE-21481.master.008.patch, > HBASE-21481.master.009.patch, HBASE-21481.master.010.patch, > HBASE-21481.master.011.patch > > > Superusers are {{hbase.superuser}} listed in configuration and plus the one > who start master process, these two may be overlap. > A superuser must be a global admin, but a global admin may not be a > superuser, possibly granted afterwards. > For now, an non-su global admin with a Global.ADMIN permission can grant or > revoke any superuser's permission, accidentally or deliberately. > The purpose of this issue is to ban this action. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (HBASE-21481) [acl] Superuser's permissions should not be granted or revoked by any non-su global admin
[ https://issues.apache.org/jira/browse/HBASE-21481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16778875#comment-16778875 ] Reid Chan commented on HBASE-21481: --- Got your point, i will clean them up in v12. > [acl] Superuser's permissions should not be granted or revoked by any non-su > global admin > - > > Key: HBASE-21481 > URL: https://issues.apache.org/jira/browse/HBASE-21481 > Project: HBase > Issue Type: Improvement >Reporter: Reid Chan >Assignee: Reid Chan >Priority: Major > Labels: ACL, security-issue > Fix For: 3.0.0, 2.2.0, 2.3.0 > > Attachments: HBASE-21481.master.001.patch, > HBASE-21481.master.002.patch, HBASE-21481.master.003.patch, > HBASE-21481.master.004.patch, HBASE-21481.master.005.patch, > HBASE-21481.master.006.patch, HBASE-21481.master.007.patch, > HBASE-21481.master.008.patch, HBASE-21481.master.009.patch, > HBASE-21481.master.010.patch, HBASE-21481.master.011.patch > > > Superusers are {{hbase.superuser}} listed in configuration and plus the one > who start master process, these two may be overlap. > A superuser must be a global admin, but a global admin may not be a > superuser, possibly granted afterwards. > For now, an non-su global admin with a Global.ADMIN permission can grant or > revoke any superuser's permission, accidentally or deliberately. > The purpose of this issue is to ban this action. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (HBASE-21481) [acl] Superuser's permissions should not be granted or revoked by any non-su global admin
[ https://issues.apache.org/jira/browse/HBASE-21481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16778857#comment-16778857 ] Guanghao Zhang commented on HBASE-21481: Got it. The callee only is a String: user name or group. Sorry for not very familiar with this. But why don't add a Superusers.isSuperUser(String) method? Then we don't need store the superUsers and groups in AuthManager, again. > [acl] Superuser's permissions should not be granted or revoked by any non-su > global admin > - > > Key: HBASE-21481 > URL: https://issues.apache.org/jira/browse/HBASE-21481 > Project: HBase > Issue Type: Improvement >Reporter: Reid Chan >Assignee: Reid Chan >Priority: Major > Labels: ACL, security-issue > Fix For: 3.0.0, 2.2.0 > > Attachments: HBASE-21481.master.001.patch, > HBASE-21481.master.002.patch, HBASE-21481.master.003.patch, > HBASE-21481.master.004.patch, HBASE-21481.master.005.patch, > HBASE-21481.master.006.patch, HBASE-21481.master.007.patch, > HBASE-21481.master.008.patch, HBASE-21481.master.009.patch, > HBASE-21481.master.010.patch, HBASE-21481.master.011.patch > > > Superusers are {{hbase.superuser}} listed in configuration and plus the one > who start master process, these two may be overlap. > A superuser must be a global admin, but a global admin may not be a > superuser, possibly granted afterwards. > For now, an non-su global admin with a Global.ADMIN permission can grant or > revoke any superuser's permission, accidentally or deliberately. > The purpose of this issue is to ban this action. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (HBASE-21481) [acl] Superuser's permissions should not be granted or revoked by any non-su global admin
[ https://issues.apache.org/jira/browse/HBASE-21481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16778852#comment-16778852 ] Reid Chan commented on HBASE-21481: --- Let's say: A grant|revoke B permissions, caller A(a User object) and callee B(a String object) will be passed to server. Hoping i make it clear. > [acl] Superuser's permissions should not be granted or revoked by any non-su > global admin > - > > Key: HBASE-21481 > URL: https://issues.apache.org/jira/browse/HBASE-21481 > Project: HBase > Issue Type: Improvement >Reporter: Reid Chan >Assignee: Reid Chan >Priority: Major > Labels: ACL, security-issue > Fix For: 3.0.0, 2.2.0 > > Attachments: HBASE-21481.master.001.patch, > HBASE-21481.master.002.patch, HBASE-21481.master.003.patch, > HBASE-21481.master.004.patch, HBASE-21481.master.005.patch, > HBASE-21481.master.006.patch, HBASE-21481.master.007.patch, > HBASE-21481.master.008.patch, HBASE-21481.master.009.patch, > HBASE-21481.master.010.patch, HBASE-21481.master.011.patch > > > Superusers are {{hbase.superuser}} listed in configuration and plus the one > who start master process, these two may be overlap. > A superuser must be a global admin, but a global admin may not be a > superuser, possibly granted afterwards. > For now, an non-su global admin with a Global.ADMIN permission can grant or > revoke any superuser's permission, accidentally or deliberately. > The purpose of this issue is to ban this action. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (HBASE-21481) [acl] Superuser's permissions should not be granted or revoked by any non-su global admin
[ https://issues.apache.org/jira/browse/HBASE-21481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16778849#comment-16778849 ] Reid Chan commented on HBASE-21481: --- Callee is not a User object, that's why we can't use that method. > [acl] Superuser's permissions should not be granted or revoked by any non-su > global admin > - > > Key: HBASE-21481 > URL: https://issues.apache.org/jira/browse/HBASE-21481 > Project: HBase > Issue Type: Improvement >Reporter: Reid Chan >Assignee: Reid Chan >Priority: Major > Labels: ACL, security-issue > Fix For: 3.0.0, 2.2.0 > > Attachments: HBASE-21481.master.001.patch, > HBASE-21481.master.002.patch, HBASE-21481.master.003.patch, > HBASE-21481.master.004.patch, HBASE-21481.master.005.patch, > HBASE-21481.master.006.patch, HBASE-21481.master.007.patch, > HBASE-21481.master.008.patch, HBASE-21481.master.009.patch, > HBASE-21481.master.010.patch, HBASE-21481.master.011.patch > > > Superusers are {{hbase.superuser}} listed in configuration and plus the one > who start master process, these two may be overlap. > A superuser must be a global admin, but a global admin may not be a > superuser, possibly granted afterwards. > For now, an non-su global admin with a Global.ADMIN permission can grant or > revoke any superuser's permission, accidentally or deliberately. > The purpose of this issue is to ban this action. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (HBASE-21481) [acl] Superuser's permissions should not be granted or revoked by any non-su global admin
[ https://issues.apache.org/jira/browse/HBASE-21481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16778828#comment-16778828 ] Guanghao Zhang commented on HBASE-21481: {quote}if (authManager.checkSuperPrivileges(name)) {quote} I mean that if use Superusers.isSuperUser here, no need to change so much code? > [acl] Superuser's permissions should not be granted or revoked by any non-su > global admin > - > > Key: HBASE-21481 > URL: https://issues.apache.org/jira/browse/HBASE-21481 > Project: HBase > Issue Type: Improvement >Reporter: Reid Chan >Assignee: Reid Chan >Priority: Major > Labels: ACL, security-issue > Fix For: 3.0.0, 2.2.0 > > Attachments: HBASE-21481.master.001.patch, > HBASE-21481.master.002.patch, HBASE-21481.master.003.patch, > HBASE-21481.master.004.patch, HBASE-21481.master.005.patch, > HBASE-21481.master.006.patch, HBASE-21481.master.007.patch, > HBASE-21481.master.008.patch, HBASE-21481.master.009.patch, > HBASE-21481.master.010.patch, HBASE-21481.master.011.patch > > > Superusers are {{hbase.superuser}} listed in configuration and plus the one > who start master process, these two may be overlap. > A superuser must be a global admin, but a global admin may not be a > superuser, possibly granted afterwards. > For now, an non-su global admin with a Global.ADMIN permission can grant or > revoke any superuser's permission, accidentally or deliberately. > The purpose of this issue is to ban this action. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (HBASE-21481) [acl] Superuser's permissions should not be granted or revoked by any non-su global admin
[ https://issues.apache.org/jira/browse/HBASE-21481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16777838#comment-16777838 ] Reid Chan commented on HBASE-21481: --- Failed tests passed on local with patch applied. > [acl] Superuser's permissions should not be granted or revoked by any non-su > global admin > - > > Key: HBASE-21481 > URL: https://issues.apache.org/jira/browse/HBASE-21481 > Project: HBase > Issue Type: Improvement >Reporter: Reid Chan >Assignee: Reid Chan >Priority: Major > Labels: ACL, security-issue > Fix For: 3.0.0, 2.2.0 > > Attachments: HBASE-21481.master.001.patch, > HBASE-21481.master.002.patch, HBASE-21481.master.003.patch, > HBASE-21481.master.004.patch, HBASE-21481.master.005.patch, > HBASE-21481.master.006.patch, HBASE-21481.master.007.patch, > HBASE-21481.master.008.patch, HBASE-21481.master.009.patch, > HBASE-21481.master.010.patch, HBASE-21481.master.011.patch > > > Superusers are {{hbase.superuser}} listed in configuration and plus the one > who start master process, these two may be overlap. > A superuser must be a global admin, but a global admin may not be a > superuser, possibly granted afterwards. > For now, an non-su global admin with a Global.ADMIN permission can grant or > revoke any superuser's permission, accidentally or deliberately. > The purpose of this issue is to ban this action. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (HBASE-21481) [acl] Superuser's permissions should not be granted or revoked by any non-su global admin
[ https://issues.apache.org/jira/browse/HBASE-21481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=1616#comment-1616 ] Hadoop QA commented on HBASE-21481: --- | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 23s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:green}+1{color} | {color:green} hbaseanti {color} | {color:green} 0m 0s{color} | {color:green} Patch does not have any anti-patterns. {color} | | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 2 new or modified test files. {color} | || || || || {color:brown} master Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 28s{color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 4m 6s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 2m 25s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 1m 30s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} shadedjars {color} | {color:green} 4m 22s{color} | {color:green} branch has no errors when building our shaded downstream artifacts. {color} | | {color:blue}0{color} | {color:blue} findbugs {color} | {color:blue} 2m 18s{color} | {color:blue} hbase-server in master has 1 extant Findbugs warnings. {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 50s{color} | {color:green} master passed {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 15s{color} | {color:blue} Maven dependency ordering for patch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 3m 46s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 2m 27s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 2m 27s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 1m 26s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} shadedjars {color} | {color:green} 4m 11s{color} | {color:green} patch has no errors when building our shaded downstream artifacts. {color} | | {color:green}+1{color} | {color:green} hadoopcheck {color} | {color:green} 9m 3s{color} | {color:green} Patch does not cause any errors with Hadoop 2.7.4 or 3.0.0. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 4m 12s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 42s{color} | {color:green} the patch passed {color} | || || || || {color:brown} Other Tests {color} || | {color:green}+1{color} | {color:green} unit {color} | {color:green} 3m 10s{color} | {color:green} hbase-common in the patch passed. {color} | | {color:red}-1{color} | {color:red} unit {color} | {color:red}261m 27s{color} | {color:red} hbase-server in the patch failed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 37s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black}309m 6s{color} | {color:black} {color} | \\ \\ || Reason || Tests || | Failed junit tests | hadoop.hbase.client.TestFastFail | | | hadoop.hbase.client.TestFromClientSideWithCoprocessor | | | hadoop.hbase.client.TestFromClientSide3 | | | hadoop.hbase.master.procedure.TestServerCrashProcedureWithReplicas | | | hadoop.hbase.master.TestAssignmentManagerMetrics | | | hadoop.hbase.master.procedure.TestServerCrashProcedure | | | hadoop.hbase.client.TestAdmin1 | \\ \\ || Subsystem || Report/Notes || | Docker | Client=17.05.0-ce Server=17.05.0-ce Image:yetus/hbase:b002b0b | | JIRA Issue | HBASE-21481 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12960117/HBASE-21481.master.011.patch | | Optional Tests | dupname asflicense javac javadoc unit findbugs shadedjars hadoopcheck hbaseanti
[jira] [Commented] (HBASE-21481) [acl] Superuser's permissions should not be granted or revoked by any non-su global admin
[ https://issues.apache.org/jira/browse/HBASE-21481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16777530#comment-16777530 ] Reid Chan commented on HBASE-21481: --- Thanks for the review, [~zghaobac]. Addressed your comments in v11. > [acl] Superuser's permissions should not be granted or revoked by any non-su > global admin > - > > Key: HBASE-21481 > URL: https://issues.apache.org/jira/browse/HBASE-21481 > Project: HBase > Issue Type: Improvement >Reporter: Reid Chan >Assignee: Reid Chan >Priority: Major > Labels: ACL, security-issue > Fix For: 3.0.0, 2.2.0 > > Attachments: HBASE-21481.master.001.patch, > HBASE-21481.master.002.patch, HBASE-21481.master.003.patch, > HBASE-21481.master.004.patch, HBASE-21481.master.005.patch, > HBASE-21481.master.006.patch, HBASE-21481.master.007.patch, > HBASE-21481.master.008.patch, HBASE-21481.master.009.patch, > HBASE-21481.master.010.patch, HBASE-21481.master.011.patch > > > Superusers are {{hbase.superuser}} listed in configuration and plus the one > who start master process, these two may be overlap. > A superuser must be a global admin, but a global admin may not be a > superuser, possibly granted afterwards. > For now, an non-su global admin with a Global.ADMIN permission can grant or > revoke any superuser's permission, accidentally or deliberately. > The purpose of this issue is to ban this action. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (HBASE-21481) [acl] Superuser's permissions should not be granted or revoked by any non-su global admin
[ https://issues.apache.org/jira/browse/HBASE-21481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16776501#comment-16776501 ] Guanghao Zhang commented on HBASE-21481: Sorry for late for this. Why don't use SuperUsers.isSuperUser directly to decide whether the use is a super user? > [acl] Superuser's permissions should not be granted or revoked by any non-su > global admin > - > > Key: HBASE-21481 > URL: https://issues.apache.org/jira/browse/HBASE-21481 > Project: HBase > Issue Type: Improvement >Reporter: Reid Chan >Assignee: Reid Chan >Priority: Major > Labels: ACL, security-issue > Fix For: 3.0.0, 2.2.0 > > Attachments: HBASE-21481.master.001.patch, > HBASE-21481.master.002.patch, HBASE-21481.master.003.patch, > HBASE-21481.master.004.patch, HBASE-21481.master.005.patch, > HBASE-21481.master.006.patch, HBASE-21481.master.007.patch, > HBASE-21481.master.008.patch, HBASE-21481.master.009.patch, > HBASE-21481.master.010.patch > > > Superusers are {{hbase.superuser}} listed in configuration and plus the one > who start master process, these two may be overlap. > A superuser must be a global admin, but a global admin may not be a > superuser, possibly granted afterwards. > For now, an non-su global admin with a Global.ADMIN permission can grant or > revoke any superuser's permission, accidentally or deliberately. > The purpose of this issue is to ban this action. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (HBASE-21481) [acl] Superuser's permissions should not be granted or revoked by any non-su global admin
[ https://issues.apache.org/jira/browse/HBASE-21481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16755847#comment-16755847 ] Hadoop QA commented on HBASE-21481: --- | (/) *{color:green}+1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 12s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:green}+1{color} | {color:green} hbaseanti {color} | {color:green} 0m 1s{color} | {color:green} Patch does not have any anti-patterns. {color} | | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 2 new or modified test files. {color} | || || || || {color:brown} master Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 26s{color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 4m 56s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 3m 2s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 1m 53s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} shadedjars {color} | {color:green} 5m 18s{color} | {color:green} branch has no errors when building our shaded downstream artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 3m 46s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 56s{color} | {color:green} master passed {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 17s{color} | {color:blue} Maven dependency ordering for patch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 5m 16s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 2m 53s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 2m 53s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 1m 53s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} shadedjars {color} | {color:green} 5m 9s{color} | {color:green} patch has no errors when building our shaded downstream artifacts. {color} | | {color:green}+1{color} | {color:green} hadoopcheck {color} | {color:green} 11m 11s{color} | {color:green} Patch does not cause any errors with Hadoop 2.7.4 or 3.0.0. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 4m 9s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 1m 0s{color} | {color:green} the patch passed {color} | || || || || {color:brown} Other Tests {color} || | {color:green}+1{color} | {color:green} unit {color} | {color:green} 2m 50s{color} | {color:green} hbase-common in the patch passed. {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green}140m 47s{color} | {color:green} hbase-server in the patch passed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 43s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black}197m 27s{color} | {color:black} {color} | \\ \\ || Subsystem || Report/Notes || | Docker | Client=17.05.0-ce Server=17.05.0-ce Image:yetus/hbase:b002b0b | | JIRA Issue | HBASE-21481 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12956840/HBASE-21481.master.010.patch | | Optional Tests | dupname asflicense javac javadoc unit findbugs shadedjars hadoopcheck hbaseanti checkstyle compile | | uname | Linux 398a0deae1d3 4.4.0-139-generic #165~14.04.1-Ubuntu SMP Wed Oct 31 10:55:11 UTC 2018 x86_64 GNU/Linux | | Build tool | maven | | Personality | /home/jenkins/jenkins-slave/workspace/PreCommit-HBASE-Build@2/component/dev-support/hbase-personality.sh | | git revision | master / f997252344 | | maven | version: Apache Maven 3.5.4 (1edded0938998edf8bf061f1ceb3cfdeccf443fe; 2018-06-17T18:33:14Z) | | Default Java |
[jira] [Commented] (HBASE-21481) [acl] Superuser's permissions should not be granted or revoked by any non-su global admin
[ https://issues.apache.org/jira/browse/HBASE-21481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16755754#comment-16755754 ] Reid Chan commented on HBASE-21481: --- ping [~zghaobac], It is planned to go in branch-2.2, as RM, would you mind taking time to review? > [acl] Superuser's permissions should not be granted or revoked by any non-su > global admin > - > > Key: HBASE-21481 > URL: https://issues.apache.org/jira/browse/HBASE-21481 > Project: HBase > Issue Type: Improvement >Reporter: Reid Chan >Assignee: Reid Chan >Priority: Major > Labels: ACL, security-issue > Fix For: 3.0.0, 2.2.0 > > Attachments: HBASE-21481.master.001.patch, > HBASE-21481.master.002.patch, HBASE-21481.master.003.patch, > HBASE-21481.master.004.patch, HBASE-21481.master.005.patch, > HBASE-21481.master.006.patch, HBASE-21481.master.007.patch, > HBASE-21481.master.008.patch, HBASE-21481.master.009.patch, > HBASE-21481.master.010.patch > > > Superusers are {{hbase.superuser}} listed in configuration and plus the one > who start master process, these two may be overlap. > A superuser must be a global admin, but a global admin may not be a > superuser, possibly granted afterwards. > For now, an non-su global admin with a Global.ADMIN permission can grant or > revoke any superuser's permission, accidentally or deliberately. > The purpose of this issue is to ban this action. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (HBASE-21481) [acl] Superuser's permissions should not be granted or revoked by any non-su global admin
[ https://issues.apache.org/jira/browse/HBASE-21481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16755681#comment-16755681 ] Reid Chan commented on HBASE-21481: --- v10 rebased master branch and fixed conflicts introduced by HBASE-21739. > [acl] Superuser's permissions should not be granted or revoked by any non-su > global admin > - > > Key: HBASE-21481 > URL: https://issues.apache.org/jira/browse/HBASE-21481 > Project: HBase > Issue Type: Improvement >Reporter: Reid Chan >Assignee: Reid Chan >Priority: Major > Labels: ACL, security-issue > Fix For: 3.0.0, 2.2.0 > > Attachments: HBASE-21481.master.001.patch, > HBASE-21481.master.002.patch, HBASE-21481.master.003.patch, > HBASE-21481.master.004.patch, HBASE-21481.master.005.patch, > HBASE-21481.master.006.patch, HBASE-21481.master.007.patch, > HBASE-21481.master.008.patch, HBASE-21481.master.009.patch, > HBASE-21481.master.010.patch > > > Superusers are {{hbase.superuser}} listed in configuration and plus the one > who start master process, these two may be overlap. > A superuser must be a global admin, but a global admin may not be a > superuser, possibly granted afterwards. > For now, an non-su global admin with a Global.ADMIN permission can grant or > revoke any superuser's permission, accidentally or deliberately. > The purpose of this issue is to ban this action. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (HBASE-21481) [acl] Superuser's permissions should not be granted or revoked by any non-su global admin
[ https://issues.apache.org/jira/browse/HBASE-21481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16745908#comment-16745908 ] Reid Chan commented on HBASE-21481: --- ping [~busbey] > [acl] Superuser's permissions should not be granted or revoked by any non-su > global admin > - > > Key: HBASE-21481 > URL: https://issues.apache.org/jira/browse/HBASE-21481 > Project: HBase > Issue Type: Improvement >Reporter: Reid Chan >Assignee: Reid Chan >Priority: Major > Labels: ACL, security-issue > Fix For: 3.0.0, 2.2.0 > > Attachments: HBASE-21481.master.001.patch, > HBASE-21481.master.002.patch, HBASE-21481.master.003.patch, > HBASE-21481.master.004.patch, HBASE-21481.master.005.patch, > HBASE-21481.master.006.patch, HBASE-21481.master.007.patch, > HBASE-21481.master.008.patch, HBASE-21481.master.009.patch > > > Superusers are {{hbase.superuser}} listed in configuration and plus the one > who start master process, these two may be overlap. > A superuser must be a global admin, but a global admin may not be a > superuser, possibly granted afterwards. > For now, an non-su global admin with a Global.ADMIN permission can grant or > revoke any superuser's permission, accidentally or deliberately. > The purpose of this issue is to ban this action. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (HBASE-21481) [acl] Superuser's permissions should not be granted or revoked by any non-su global admin
[ https://issues.apache.org/jira/browse/HBASE-21481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16709540#comment-16709540 ] Reid Chan commented on HBASE-21481: --- Thank you, Sean! > [acl] Superuser's permissions should not be granted or revoked by any non-su > global admin > - > > Key: HBASE-21481 > URL: https://issues.apache.org/jira/browse/HBASE-21481 > Project: HBase > Issue Type: Improvement >Reporter: Reid Chan >Assignee: Reid Chan >Priority: Major > Labels: ACL, security-issue > Fix For: 3.0.0, 2.2.0 > > Attachments: HBASE-21481.master.001.patch, > HBASE-21481.master.002.patch, HBASE-21481.master.003.patch, > HBASE-21481.master.004.patch, HBASE-21481.master.005.patch, > HBASE-21481.master.006.patch, HBASE-21481.master.007.patch, > HBASE-21481.master.008.patch, HBASE-21481.master.009.patch > > > Superusers are {{hbase.superuser}} listed in configuration and plus the one > who start master process, these two may be overlap. > A superuser must be a global admin, but a global admin may not be a > superuser, possibly granted afterwards. > For now, an non-su global admin with a Global.ADMIN permission can grant or > revoke any superuser's permission, accidentally or deliberately. > The purpose of this issue is to ban this action. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (HBASE-21481) [acl] Superuser's permissions should not be granted or revoked by any non-su global admin
[ https://issues.apache.org/jira/browse/HBASE-21481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16708790#comment-16708790 ] Sean Busbey commented on HBASE-21481: - shoot forgot to post here. I started reviewing this. will try to finish up this week. > [acl] Superuser's permissions should not be granted or revoked by any non-su > global admin > - > > Key: HBASE-21481 > URL: https://issues.apache.org/jira/browse/HBASE-21481 > Project: HBase > Issue Type: Improvement >Reporter: Reid Chan >Assignee: Reid Chan >Priority: Major > Labels: ACL, security-issue > Fix For: 3.0.0, 2.2.0 > > Attachments: HBASE-21481.master.001.patch, > HBASE-21481.master.002.patch, HBASE-21481.master.003.patch, > HBASE-21481.master.004.patch, HBASE-21481.master.005.patch, > HBASE-21481.master.006.patch, HBASE-21481.master.007.patch, > HBASE-21481.master.008.patch, HBASE-21481.master.009.patch > > > Superusers are {{hbase.superuser}} listed in configuration and plus the one > who start master process, these two may be overlap. > A superuser must be a global admin, but a global admin may not be a > superuser, possibly granted afterwards. > For now, an non-su global admin with a Global.ADMIN permission can grant or > revoke any superuser's permission, accidentally or deliberately. > The purpose of this issue is to ban this action. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (HBASE-21481) [acl] Superuser's permissions should not be granted or revoked by any non-su global admin
[ https://issues.apache.org/jira/browse/HBASE-21481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16708248#comment-16708248 ] Hadoop QA commented on HBASE-21481: --- | (/) *{color:green}+1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 15s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:green}+1{color} | {color:green} hbaseanti {color} | {color:green} 0m 0s{color} | {color:green} Patch does not have any anti-patterns. {color} | | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 2 new or modified test files. {color} | || || || || {color:brown} master Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 30s{color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 5m 19s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 2m 48s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 1m 49s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} shadedjars {color} | {color:green} 4m 34s{color} | {color:green} branch has no errors when building our shaded downstream artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 3m 18s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 59s{color} | {color:green} master passed {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 16s{color} | {color:blue} Maven dependency ordering for patch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 5m 3s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 2m 50s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 2m 50s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 1m 48s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} shadedjars {color} | {color:green} 4m 47s{color} | {color:green} patch has no errors when building our shaded downstream artifacts. {color} | | {color:green}+1{color} | {color:green} hadoopcheck {color} | {color:green} 10m 51s{color} | {color:green} Patch does not cause any errors with Hadoop 2.7.4 or 3.0.0. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 3m 37s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 55s{color} | {color:green} the patch passed {color} | || || || || {color:brown} Other Tests {color} || | {color:green}+1{color} | {color:green} unit {color} | {color:green} 2m 43s{color} | {color:green} hbase-common in the patch passed. {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green}137m 57s{color} | {color:green} hbase-server in the patch passed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 39s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black}191m 44s{color} | {color:black} {color} | \\ \\ || Subsystem || Report/Notes || | Docker | Client=17.05.0-ce Server=17.05.0-ce Image:yetus/hbase:b002b0b | | JIRA Issue | HBASE-21481 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12950488/HBASE-21481.master.009.patch | | Optional Tests | dupname asflicense javac javadoc unit findbugs shadedjars hadoopcheck hbaseanti checkstyle compile | | uname | Linux 98c4484b3a08 4.4.0-139-generic #165~14.04.1-Ubuntu SMP Wed Oct 31 10:55:11 UTC 2018 x86_64 GNU/Linux | | Build tool | maven | | Personality | /home/jenkins/jenkins-slave/workspace/PreCommit-HBASE-Build/component/dev-support/hbase-personality.sh | | git revision | master / 59cfe2e31b | | maven | version: Apache Maven 3.5.4 (1edded0938998edf8bf061f1ceb3cfdeccf443fe; 2018-06-17T18:33:14Z) | | Default Java | 1.8.0_181
[jira] [Commented] (HBASE-21481) [acl] Superuser's permissions should not be granted or revoked by any non-su global admin
[ https://issues.apache.org/jira/browse/HBASE-21481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16708127#comment-16708127 ] Reid Chan commented on HBASE-21481: --- Rebased master branch only, nothing changed in patch. And trigger QA again. > [acl] Superuser's permissions should not be granted or revoked by any non-su > global admin > - > > Key: HBASE-21481 > URL: https://issues.apache.org/jira/browse/HBASE-21481 > Project: HBase > Issue Type: Improvement >Reporter: Reid Chan >Assignee: Reid Chan >Priority: Major > Labels: ACL, security-issue > Fix For: 3.0.0, 2.2.0 > > Attachments: HBASE-21481.master.001.patch, > HBASE-21481.master.002.patch, HBASE-21481.master.003.patch, > HBASE-21481.master.004.patch, HBASE-21481.master.005.patch, > HBASE-21481.master.006.patch, HBASE-21481.master.007.patch, > HBASE-21481.master.008.patch, HBASE-21481.master.009.patch > > > Superusers are {{hbase.superuser}} listed in configuration and plus the one > who start master process, these two may be overlap. > A superuser must be a global admin, but a global admin may not be a > superuser, possibly granted afterwards. > For now, an non-su global admin with a Global.ADMIN permission can grant or > revoke any superuser's permission, accidentally or deliberately. > The purpose of this issue is to ban this action. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (HBASE-21481) [acl] Superuser's permissions should not be granted or revoked by any non-su global admin
[ https://issues.apache.org/jira/browse/HBASE-21481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16704187#comment-16704187 ] Reid Chan commented on HBASE-21481: --- ping [~dbist13], [~psomogyi], WDYT. > [acl] Superuser's permissions should not be granted or revoked by any non-su > global admin > - > > Key: HBASE-21481 > URL: https://issues.apache.org/jira/browse/HBASE-21481 > Project: HBase > Issue Type: Improvement >Reporter: Reid Chan >Assignee: Reid Chan >Priority: Major > Labels: ACL, security-issue > Fix For: 3.0.0, 2.2.0 > > Attachments: HBASE-21481.master.001.patch, > HBASE-21481.master.002.patch, HBASE-21481.master.003.patch, > HBASE-21481.master.004.patch, HBASE-21481.master.005.patch, > HBASE-21481.master.006.patch, HBASE-21481.master.007.patch, > HBASE-21481.master.008.patch > > > Superusers are {{hbase.superuser}} listed in configuration and plus the one > who start master process, these two may be overlap. > A superuser must be a global admin, but a global admin may not be a > superuser, possibly granted afterwards. > For now, an non-su global admin with a Global.ADMIN permission can grant or > revoke any superuser's permission, accidentally or deliberately. > The purpose of this issue is to ban this action. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (HBASE-21481) [acl] Superuser's permissions should not be granted or revoked by any non-su global admin
[ https://issues.apache.org/jira/browse/HBASE-21481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16704185#comment-16704185 ] Reid Chan commented on HBASE-21481: --- Failed test passed locally, not related i think. {code} [INFO] --- [INFO] T E S T S [INFO] --- [INFO] Running org.apache.hadoop.hbase.client.TestRestoreSnapshotFromClientClone [INFO] Tests run: 4, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 81.502 s - in org.apache.hadoop.hbase.client.TestRestoreSnapshotFromClientClone [INFO] [INFO] Results: [INFO] [INFO] Tests run: 4, Failures: 0, Errors: 0, Skipped: 0 {code} > [acl] Superuser's permissions should not be granted or revoked by any non-su > global admin > - > > Key: HBASE-21481 > URL: https://issues.apache.org/jira/browse/HBASE-21481 > Project: HBase > Issue Type: Improvement >Reporter: Reid Chan >Assignee: Reid Chan >Priority: Major > Labels: ACL, security-issue > Fix For: 3.0.0, 2.2.0 > > Attachments: HBASE-21481.master.001.patch, > HBASE-21481.master.002.patch, HBASE-21481.master.003.patch, > HBASE-21481.master.004.patch, HBASE-21481.master.005.patch, > HBASE-21481.master.006.patch, HBASE-21481.master.007.patch, > HBASE-21481.master.008.patch > > > Superusers are {{hbase.superuser}} listed in configuration and plus the one > who start master process, these two may be overlap. > A superuser must be a global admin, but a global admin may not be a > superuser, possibly granted afterwards. > For now, an non-su global admin with a Global.ADMIN permission can grant or > revoke any superuser's permission, accidentally or deliberately. > The purpose of this issue is to ban this action. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (HBASE-21481) [acl] Superuser's permissions should not be granted or revoked by any non-su global admin
[ https://issues.apache.org/jira/browse/HBASE-21481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16703136#comment-16703136 ] Hadoop QA commented on HBASE-21481: --- | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 11s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:green}+1{color} | {color:green} hbaseanti {color} | {color:green} 0m 0s{color} | {color:green} Patch does not have any anti-patterns. {color} | | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 2 new or modified test files. {color} | || || || || {color:brown} master Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 15s{color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 4m 26s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 2m 24s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 1m 31s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} shadedjars {color} | {color:green} 3m 52s{color} | {color:green} branch has no errors when building our shaded downstream artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 2m 40s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 47s{color} | {color:green} master passed {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 14s{color} | {color:blue} Maven dependency ordering for patch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 4m 29s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 2m 29s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 2m 29s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 1m 24s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} shadedjars {color} | {color:green} 3m 47s{color} | {color:green} patch has no errors when building our shaded downstream artifacts. {color} | | {color:green}+1{color} | {color:green} hadoopcheck {color} | {color:green} 9m 32s{color} | {color:green} Patch does not cause any errors with Hadoop 2.7.4 or 3.0.0. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 3m 5s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 47s{color} | {color:green} the patch passed {color} | || || || || {color:brown} Other Tests {color} || | {color:green}+1{color} | {color:green} unit {color} | {color:green} 2m 36s{color} | {color:green} hbase-common in the patch passed. {color} | | {color:red}-1{color} | {color:red} unit {color} | {color:red}133m 41s{color} | {color:red} hbase-server in the patch failed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 31s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black}179m 23s{color} | {color:black} {color} | \\ \\ || Subsystem || Report/Notes || | Docker | Client=17.05.0-ce Server=17.05.0-ce Image:yetus/hbase:b002b0b | | JIRA Issue | HBASE-21481 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12949988/HBASE-21481.master.008.patch | | Optional Tests | dupname asflicense javac javadoc unit findbugs shadedjars hadoopcheck hbaseanti checkstyle compile | | uname | Linux f170ca8418c0 4.4.0-138-generic #164-Ubuntu SMP Tue Oct 2 17:16:02 UTC 2018 x86_64 GNU/Linux | | Build tool | maven | | Personality | /home/jenkins/jenkins-slave/workspace/PreCommit-HBASE-Build/component/dev-support/hbase-personality.sh | | git revision | master / f1f2b5a038 | | maven | version: Apache Maven 3.5.4 (1edded0938998edf8bf061f1ceb3cfdeccf443fe; 2018-06-17T18:33:14Z) | | Default Java | 1.8.0_181 | | findbugs |
[jira] [Commented] (HBASE-21481) [acl] Superuser's permissions should not be granted or revoked by any non-su global admin
[ https://issues.apache.org/jira/browse/HBASE-21481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16702957#comment-16702957 ] Reid Chan commented on HBASE-21481: --- v8's local test result: {code} [INFO] --- [INFO] T E S T S [INFO] --- [INFO] Running org.apache.hadoop.hbase.security.access.TestRpcAccessChecks [INFO] Tests run: 14, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 22.918 s - in org.apache.hadoop.hbase.security.access.TestRpcAccessChecks [INFO] [INFO] Results: [INFO] [INFO] Tests run: 14, Failures: 0, Errors: 0, Skipped: 0 {code} > [acl] Superuser's permissions should not be granted or revoked by any non-su > global admin > - > > Key: HBASE-21481 > URL: https://issues.apache.org/jira/browse/HBASE-21481 > Project: HBase > Issue Type: Improvement >Reporter: Reid Chan >Assignee: Reid Chan >Priority: Major > Labels: ACL, security-issue > Fix For: 3.0.0, 2.2.0 > > Attachments: HBASE-21481.master.001.patch, > HBASE-21481.master.002.patch, HBASE-21481.master.003.patch, > HBASE-21481.master.004.patch, HBASE-21481.master.005.patch, > HBASE-21481.master.006.patch, HBASE-21481.master.007.patch, > HBASE-21481.master.008.patch > > > Superusers are {{hbase.superuser}} listed in configuration and plus the one > who start master process, these two may be overlap. > A superuser must be a global admin, but a global admin may not be a > superuser, possibly granted afterwards. > For now, an non-su global admin with a Global.ADMIN permission can grant or > revoke any superuser's permission, accidentally or deliberately. > The purpose of this issue is to ban this action. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (HBASE-21481) [acl] Superuser's permissions should not be granted or revoked by any non-su global admin
[ https://issues.apache.org/jira/browse/HBASE-21481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16702760#comment-16702760 ] Hadoop QA commented on HBASE-21481: --- | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 15s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:green}+1{color} | {color:green} hbaseanti {color} | {color:green} 0m 0s{color} | {color:green} Patch does not have any anti-patterns. {color} | | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 2 new or modified test files. {color} | || || || || {color:brown} master Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 1m 27s{color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 5m 24s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 2m 16s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 1m 24s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} shadedjars {color} | {color:green} 3m 39s{color} | {color:green} branch has no errors when building our shaded downstream artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 2m 37s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 49s{color} | {color:green} master passed {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 14s{color} | {color:blue} Maven dependency ordering for patch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 3m 47s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 2m 9s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 2m 9s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 1m 21s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} shadedjars {color} | {color:green} 3m 46s{color} | {color:green} patch has no errors when building our shaded downstream artifacts. {color} | | {color:green}+1{color} | {color:green} hadoopcheck {color} | {color:green} 9m 0s{color} | {color:green} Patch does not cause any errors with Hadoop 2.7.4 or 3.0.0. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 2m 47s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 46s{color} | {color:green} the patch passed {color} | || || || || {color:brown} Other Tests {color} || | {color:green}+1{color} | {color:green} unit {color} | {color:green} 2m 43s{color} | {color:green} hbase-common in the patch passed. {color} | | {color:red}-1{color} | {color:red} unit {color} | {color:red}148m 28s{color} | {color:red} hbase-server in the patch failed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 33s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black}194m 0s{color} | {color:black} {color} | \\ \\ || Reason || Tests || | Failed junit tests | hadoop.hbase.security.access.TestRpcAccessChecks | \\ \\ || Subsystem || Report/Notes || | Docker | Client=17.05.0-ce Server=17.05.0-ce Image:yetus/hbase:b002b0b | | JIRA Issue | HBASE-21481 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12949926/HBASE-21481.master.007.patch | | Optional Tests | dupname asflicense javac javadoc unit findbugs shadedjars hadoopcheck hbaseanti checkstyle compile | | uname | Linux fe68e31d5428 4.4.0-138-generic #164-Ubuntu SMP Tue Oct 2 17:16:02 UTC 2018 x86_64 GNU/Linux | | Build tool | maven | | Personality | /home/jenkins/jenkins-slave/workspace/PreCommit-HBASE-Build@2/component/dev-support/hbase-personality.sh | | git revision | master / d6e1d18be9 | | maven | version: Apache Maven 3.5.4
[jira] [Commented] (HBASE-21481) [acl] Superuser's permissions should not be granted or revoked by any non-su global admin
[ https://issues.apache.org/jira/browse/HBASE-21481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16702659#comment-16702659 ] Reid Chan commented on HBASE-21481: --- Fixed TestRpcAccessChecks initialization problems. Other failed UTs are not related, most of them are timeout or reading xml problem. > [acl] Superuser's permissions should not be granted or revoked by any non-su > global admin > - > > Key: HBASE-21481 > URL: https://issues.apache.org/jira/browse/HBASE-21481 > Project: HBase > Issue Type: Improvement >Reporter: Reid Chan >Assignee: Reid Chan >Priority: Major > Labels: ACL, security-issue > Fix For: 3.0.0, 2.2.0 > > Attachments: HBASE-21481.master.001.patch, > HBASE-21481.master.002.patch, HBASE-21481.master.003.patch, > HBASE-21481.master.004.patch, HBASE-21481.master.005.patch, > HBASE-21481.master.006.patch, HBASE-21481.master.007.patch > > > Superusers are {{hbase.superuser}} listed in configuration and plus the one > who start master process, these two may be overlap. > A superuser must be a global admin, but a global admin may not be a > superuser, possibly granted afterwards. > For now, an non-su global admin with a Global.ADMIN permission can grant or > revoke any superuser's permission, accidentally or deliberately. > The purpose of this issue is to ban this action. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (HBASE-21481) [acl] Superuser's permissions should not be granted or revoked by any non-su global admin
[ https://issues.apache.org/jira/browse/HBASE-21481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16702099#comment-16702099 ] Hadoop QA commented on HBASE-21481: --- | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 16s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:green}+1{color} | {color:green} hbaseanti {color} | {color:green} 0m 1s{color} | {color:green} Patch does not have any anti-patterns. {color} | | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 2 new or modified test files. {color} | || || || || {color:brown} master Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 14s{color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 4m 4s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 2m 15s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 1m 26s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} shadedjars {color} | {color:green} 3m 45s{color} | {color:green} branch has no errors when building our shaded downstream artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 2m 30s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 46s{color} | {color:green} master passed {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 16s{color} | {color:blue} Maven dependency ordering for patch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 4m 1s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 2m 14s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 2m 14s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 1m 26s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} shadedjars {color} | {color:green} 3m 49s{color} | {color:green} patch has no errors when building our shaded downstream artifacts. {color} | | {color:green}+1{color} | {color:green} hadoopcheck {color} | {color:green} 8m 23s{color} | {color:green} Patch does not cause any errors with Hadoop 2.7.4 or 3.0.0. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 2m 53s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 47s{color} | {color:green} the patch passed {color} | || || || || {color:brown} Other Tests {color} || | {color:green}+1{color} | {color:green} unit {color} | {color:green} 2m 44s{color} | {color:green} hbase-common in the patch passed. {color} | | {color:red}-1{color} | {color:red} unit {color} | {color:red}251m 5s{color} | {color:red} hbase-server in the patch failed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 48s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black}294m 34s{color} | {color:black} {color} | \\ \\ || Reason || Tests || | Failed junit tests | hadoop.hbase.client.TestSnapshotTemporaryDirectoryWithRegionReplicas | | | hadoop.hbase.security.access.TestRpcAccessChecks | | | hadoop.hbase.client.TestAdmin1 | \\ \\ || Subsystem || Report/Notes || | Docker | Client=17.05.0-ce Server=17.05.0-ce Image:yetus/hbase:b002b0b | | JIRA Issue | HBASE-21481 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12949827/HBASE-21481.master.006.patch | | Optional Tests | dupname asflicense javac javadoc unit findbugs shadedjars hadoopcheck hbaseanti checkstyle compile | | uname | Linux 01b51a1edc08 4.4.0-138-generic #164-Ubuntu SMP Tue Oct 2 17:16:02 UTC 2018 x86_64 GNU/Linux | | Build tool | maven | | Personality |
[jira] [Commented] (HBASE-21481) [acl] Superuser's permissions should not be granted or revoked by any non-su global admin
[ https://issues.apache.org/jira/browse/HBASE-21481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16701747#comment-16701747 ] Reid Chan commented on HBASE-21481: --- v6 addressed some of comments in RB. > [acl] Superuser's permissions should not be granted or revoked by any non-su > global admin > - > > Key: HBASE-21481 > URL: https://issues.apache.org/jira/browse/HBASE-21481 > Project: HBase > Issue Type: Improvement >Reporter: Reid Chan >Assignee: Reid Chan >Priority: Major > Labels: ACL, security-issue > Fix For: 3.0.0, 2.2.0 > > Attachments: HBASE-21481.master.001.patch, > HBASE-21481.master.002.patch, HBASE-21481.master.003.patch, > HBASE-21481.master.004.patch, HBASE-21481.master.005.patch, > HBASE-21481.master.006.patch > > > Superusers are {{hbase.superuser}} listed in configuration and plus the one > who start master process, these two may be overlap. > A superuser must be a global admin, but a global admin may not be a > superuser, possibly granted afterwards. > For now, an non-su global admin with a Global.ADMIN permission can grant or > revoke any superuser's permission, accidentally or deliberately. > The purpose of this issue is to ban this action. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (HBASE-21481) [acl] Superuser's permissions should not be granted or revoked by any non-su global admin
[ https://issues.apache.org/jira/browse/HBASE-21481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16701327#comment-16701327 ] Reid Chan commented on HBASE-21481: --- Yes, passed locally. {{TestRpcAccessChecks.setup:141 » IllegalState A mini-cluster is already running}} looks like something about mini-cluster. > [acl] Superuser's permissions should not be granted or revoked by any non-su > global admin > - > > Key: HBASE-21481 > URL: https://issues.apache.org/jira/browse/HBASE-21481 > Project: HBase > Issue Type: Improvement >Reporter: Reid Chan >Assignee: Reid Chan >Priority: Major > Labels: ACL, security-issue > Fix For: 3.0.0, 2.2.0 > > Attachments: HBASE-21481.master.001.patch, > HBASE-21481.master.002.patch, HBASE-21481.master.003.patch, > HBASE-21481.master.004.patch, HBASE-21481.master.005.patch > > > Superusers are {{hbase.superuser}} listed in configuration and plus the one > who start master process, these two may be overlap. > A superuser must be a global admin, but a global admin may not be a > superuser, possibly granted afterwards. > For now, an non-su global admin with a Global.ADMIN permission can grant or > revoke any superuser's permission, accidentally or deliberately. > The purpose of this issue is to ban this action. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (HBASE-21481) [acl] Superuser's permissions should not be granted or revoked by any non-su global admin
[ https://issues.apache.org/jira/browse/HBASE-21481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16701209#comment-16701209 ] Artem Ervits commented on HBASE-21481: -- [~reidchan] your patch fails in [https://builds.apache.org/job/PreCommit-HBASE-Build/15119/artifact/patchprocess/patch-unit-hbase-server.txt] does it pass locally? > [acl] Superuser's permissions should not be granted or revoked by any non-su > global admin > - > > Key: HBASE-21481 > URL: https://issues.apache.org/jira/browse/HBASE-21481 > Project: HBase > Issue Type: Improvement >Reporter: Reid Chan >Assignee: Reid Chan >Priority: Major > Labels: ACL, security-issue > Fix For: 3.0.0, 2.2.0 > > Attachments: HBASE-21481.master.001.patch, > HBASE-21481.master.002.patch, HBASE-21481.master.003.patch, > HBASE-21481.master.004.patch, HBASE-21481.master.005.patch > > > Superusers are {{hbase.superuser}} listed in configuration and plus the one > who start master process, these two may be overlap. > A superuser must be a global admin, but a global admin may not be a > superuser, possibly granted afterwards. > For now, an non-su global admin with a Global.ADMIN permission can grant or > revoke any superuser's permission, accidentally or deliberately. > The purpose of this issue is to ban this action. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (HBASE-21481) [acl] Superuser's permissions should not be granted or revoked by any non-su global admin
[ https://issues.apache.org/jira/browse/HBASE-21481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16699883#comment-16699883 ] Reid Chan commented on HBASE-21481: --- It's a non-trivial patch i think, need +1 from team member. Would you mind spending some time to review this patch? [~tedyu] [~elserj] [~busbey] [~dbist13] [~psomogyi] Many thanks. > [acl] Superuser's permissions should not be granted or revoked by any non-su > global admin > - > > Key: HBASE-21481 > URL: https://issues.apache.org/jira/browse/HBASE-21481 > Project: HBase > Issue Type: Improvement >Reporter: Reid Chan >Assignee: Reid Chan >Priority: Major > Labels: ACL, security-issue > Fix For: 3.0.0, 2.2.0 > > Attachments: HBASE-21481.master.001.patch, > HBASE-21481.master.002.patch, HBASE-21481.master.003.patch, > HBASE-21481.master.004.patch, HBASE-21481.master.005.patch > > > Superusers are {{hbase.superuser}} listed in configuration and plus the one > who start master process, these two may be overlap. > A superuser must be a global admin, but a global admin may not be a > superuser, possibly granted afterwards. > For now, an non-su global admin with a Global.ADMIN permission can grant or > revoke any superuser's permission, accidentally or deliberately. > The purpose of this issue is to ban this action. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (HBASE-21481) [acl] Superuser's permissions should not be granted or revoked by any non-su global admin
[ https://issues.apache.org/jira/browse/HBASE-21481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16698908#comment-16698908 ] Hadoop QA commented on HBASE-21481: --- | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 11s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:green}+1{color} | {color:green} hbaseanti {color} | {color:green} 0m 0s{color} | {color:green} Patch does not have any anti-patterns. {color} | | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 2 new or modified test files. {color} | || || || || {color:brown} master Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 25s{color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 3m 58s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 2m 15s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 1m 27s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} shadedjars {color} | {color:green} 3m 46s{color} | {color:green} branch has no errors when building our shaded downstream artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 2m 31s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 46s{color} | {color:green} master passed {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 15s{color} | {color:blue} Maven dependency ordering for patch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 4m 3s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 2m 17s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 2m 17s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 1m 28s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} shadedjars {color} | {color:green} 3m 44s{color} | {color:green} patch has no errors when building our shaded downstream artifacts. {color} | | {color:green}+1{color} | {color:green} hadoopcheck {color} | {color:green} 8m 17s{color} | {color:green} Patch does not cause any errors with Hadoop 2.7.4 or 3.0.0. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 2m 45s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 44s{color} | {color:green} the patch passed {color} | || || || || {color:brown} Other Tests {color} || | {color:green}+1{color} | {color:green} unit {color} | {color:green} 2m 34s{color} | {color:green} hbase-common in the patch passed. {color} | | {color:red}-1{color} | {color:red} unit {color} | {color:red}126m 30s{color} | {color:red} hbase-server in the patch failed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 49s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black}169m 32s{color} | {color:black} {color} | \\ \\ || Reason || Tests || | Failed junit tests | hadoop.hbase.security.access.TestRpcAccessChecks | \\ \\ || Subsystem || Report/Notes || | Docker | Client=17.05.0-ce Server=17.05.0-ce Image:yetus/hbase:b002b0b | | JIRA Issue | HBASE-21481 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12949473/HBASE-21481.master.005.patch | | Optional Tests | dupname asflicense javac javadoc unit findbugs shadedjars hadoopcheck hbaseanti checkstyle compile | | uname | Linux e961d0fed262 4.4.0-138-generic #164-Ubuntu SMP Tue Oct 2 17:16:02 UTC 2018 x86_64 GNU/Linux | | Build tool | maven | | Personality | /home/jenkins/jenkins-slave/workspace/PreCommit-HBASE-Build/component/dev-support/hbase-personality.sh | | git revision | master / 1acbd36c90 | | maven | version: Apache Maven 3.5.4
[jira] [Commented] (HBASE-21481) [acl] Superuser's permissions should not be granted or revoked by any non-su global admin
[ https://issues.apache.org/jira/browse/HBASE-21481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16694902#comment-16694902 ] Hadoop QA commented on HBASE-21481: --- | (/) *{color:green}+1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 11s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:green}+1{color} | {color:green} hbaseanti {color} | {color:green} 0m 0s{color} | {color:green} Patch does not have any anti-patterns. {color} | | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 2 new or modified test files. {color} | || || || || {color:brown} master Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 14s{color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 3m 58s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 2m 13s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 1m 27s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} shadedjars {color} | {color:green} 3m 48s{color} | {color:green} branch has no errors when building our shaded downstream artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 2m 30s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 43s{color} | {color:green} master passed {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 14s{color} | {color:blue} Maven dependency ordering for patch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 3m 59s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 2m 13s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 2m 13s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 1m 25s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} shadedjars {color} | {color:green} 3m 44s{color} | {color:green} patch has no errors when building our shaded downstream artifacts. {color} | | {color:green}+1{color} | {color:green} hadoopcheck {color} | {color:green} 8m 16s{color} | {color:green} Patch does not cause any errors with Hadoop 2.7.4 or 3.0.0. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 2m 48s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 47s{color} | {color:green} the patch passed {color} | || || || || {color:brown} Other Tests {color} || | {color:green}+1{color} | {color:green} unit {color} | {color:green} 2m 43s{color} | {color:green} hbase-common in the patch passed. {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green}123m 35s{color} | {color:green} hbase-server in the patch passed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 47s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black}166m 19s{color} | {color:black} {color} | \\ \\ || Subsystem || Report/Notes || | Docker | Client=17.05.0-ce Server=17.05.0-ce Image:yetus/hbase:b002b0b | | JIRA Issue | HBASE-21481 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12949046/HBASE-21481.master.004.patch | | Optional Tests | dupname asflicense javac javadoc unit findbugs shadedjars hadoopcheck hbaseanti checkstyle compile | | uname | Linux 62b6b75c1cd8 4.4.0-138-generic #164-Ubuntu SMP Tue Oct 2 17:16:02 UTC 2018 x86_64 GNU/Linux | | Build tool | maven | | Personality | /home/jenkins/jenkins-slave/workspace/PreCommit-HBASE-Build/component/dev-support/hbase-personality.sh | | git revision | master / 5cc845b713 | | maven | version: Apache Maven 3.5.4 (1edded0938998edf8bf061f1ceb3cfdeccf443fe; 2018-06-17T18:33:14Z) | | Default Java | 1.8.0_181 | |
[jira] [Commented] (HBASE-21481) [acl] Superuser's permissions should not be granted or revoked by any non-su global admin
[ https://issues.apache.org/jira/browse/HBASE-21481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16694722#comment-16694722 ] Reid Chan commented on HBASE-21481: --- ping [~stack], would you mind taking a look, if having free cycles. > [acl] Superuser's permissions should not be granted or revoked by any non-su > global admin > - > > Key: HBASE-21481 > URL: https://issues.apache.org/jira/browse/HBASE-21481 > Project: HBase > Issue Type: Improvement >Reporter: Reid Chan >Assignee: Reid Chan >Priority: Major > Labels: ACL, security-issue > Fix For: 3.0.0, 2.2.0 > > Attachments: HBASE-21481.master.001.patch, > HBASE-21481.master.002.patch, HBASE-21481.master.003.patch, > HBASE-21481.master.004.patch > > > Superusers are {{hbase.superuser}} listed in configuration and plus the one > who start master process, these two may be overlap. > A superuser must be a global admin, but a global admin may not be a > superuser, possibly granted afterwards. > For now, an non-su global admin with a Global.ADMIN permission can grant or > revoke any superuser's permission, accidentally or deliberately. > The purpose of this issue is to ban this action. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (HBASE-21481) [acl] Superuser's permissions should not be granted or revoked by any non-su global admin
[ https://issues.apache.org/jira/browse/HBASE-21481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16694704#comment-16694704 ] Reid Chan commented on HBASE-21481: --- v4 fixed checkstyle warning > [acl] Superuser's permissions should not be granted or revoked by any non-su > global admin > - > > Key: HBASE-21481 > URL: https://issues.apache.org/jira/browse/HBASE-21481 > Project: HBase > Issue Type: Improvement >Reporter: Reid Chan >Assignee: Reid Chan >Priority: Major > Labels: ACL, security-issue > Fix For: 3.0.0, 2.2.0 > > Attachments: HBASE-21481.master.001.patch, > HBASE-21481.master.002.patch, HBASE-21481.master.003.patch, > HBASE-21481.master.004.patch > > > Superusers are {{hbase.superuser}} listed in configuration and plus the one > who start master process, these two may be overlap. > A superuser must be a global admin, but a global admin may not be a > superuser, possibly granted afterwards. > For now, an non-su global admin with a Global.ADMIN permission can grant or > revoke any superuser's permission, accidentally or deliberately. > The purpose of this issue is to ban this action. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (HBASE-21481) [acl] Superuser's permissions should not be granted or revoked by any non-su global admin
[ https://issues.apache.org/jira/browse/HBASE-21481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16694659#comment-16694659 ] Hadoop QA commented on HBASE-21481: --- | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 2m 13s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:green}+1{color} | {color:green} hbaseanti {color} | {color:green} 0m 0s{color} | {color:green} Patch does not have any anti-patterns. {color} | | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 2 new or modified test files. {color} | || || || || {color:brown} master Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 1m 44s{color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 5m 57s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 2m 18s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 1m 30s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} shadedjars {color} | {color:green} 3m 54s{color} | {color:green} branch has no errors when building our shaded downstream artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 2m 45s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 53s{color} | {color:green} master passed {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 15s{color} | {color:blue} Maven dependency ordering for patch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 3m 54s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 2m 16s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 2m 16s{color} | {color:green} the patch passed {color} | | {color:red}-1{color} | {color:red} checkstyle {color} | {color:red} 1m 3s{color} | {color:red} hbase-server: The patch generated 1 new + 33 unchanged - 0 fixed = 34 total (was 33) {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} shadedjars {color} | {color:green} 3m 50s{color} | {color:green} patch has no errors when building our shaded downstream artifacts. {color} | | {color:green}+1{color} | {color:green} hadoopcheck {color} | {color:green} 8m 29s{color} | {color:green} Patch does not cause any errors with Hadoop 2.7.4 or 3.0.0. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 2m 40s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 45s{color} | {color:green} the patch passed {color} | || || || || {color:brown} Other Tests {color} || | {color:green}+1{color} | {color:green} unit {color} | {color:green} 2m 45s{color} | {color:green} hbase-common in the patch passed. {color} | | {color:red}-1{color} | {color:red} unit {color} | {color:red}154m 44s{color} | {color:red} hbase-server in the patch failed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 56s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black}204m 14s{color} | {color:black} {color} | \\ \\ || Subsystem || Report/Notes || | Docker | Client=17.05.0-ce Server=17.05.0-ce Image:yetus/hbase:b002b0b | | JIRA Issue | HBASE-21481 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12949017/HBASE-21481.master.003.patch | | Optional Tests | dupname asflicense javac javadoc unit findbugs shadedjars hadoopcheck hbaseanti checkstyle compile | | uname | Linux ffe176dc9ac3 4.4.0-131-generic #157~14.04.1-Ubuntu SMP Fri Jul 13 08:53:17 UTC 2018 x86_64 GNU/Linux | | Build tool | maven | | Personality | /home/jenkins/jenkins-slave/workspace/PreCommit-HBASE-Build/component/dev-support/hbase-personality.sh | | git revision | master / 5ded294419 | | maven | version: Apache Maven 3.5.4 (1edded0938998edf8bf061f1ceb3cfdeccf443fe;
[jira] [Commented] (HBASE-21481) [acl] Superuser's permissions should not be granted or revoked by any non-su global admin
[ https://issues.apache.org/jira/browse/HBASE-21481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16690922#comment-16690922 ] Hadoop QA commented on HBASE-21481: --- | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 19s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:green}+1{color} | {color:green} hbaseanti {color} | {color:green} 0m 0s{color} | {color:green} Patch does not have any anti-patterns. {color} | | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 2 new or modified test files. {color} | || || || || {color:brown} master Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 25s{color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 5m 3s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 3m 1s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 1m 48s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} shadedjars {color} | {color:green} 4m 44s{color} | {color:green} branch has no errors when building our shaded downstream artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 3m 11s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 59s{color} | {color:green} master passed {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 17s{color} | {color:blue} Maven dependency ordering for patch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 4m 55s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 2m 55s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 2m 55s{color} | {color:green} the patch passed {color} | | {color:red}-1{color} | {color:red} checkstyle {color} | {color:red} 0m 27s{color} | {color:red} hbase-common: The patch generated 1 new + 7 unchanged - 0 fixed = 8 total (was 7) {color} | | {color:red}-1{color} | {color:red} checkstyle {color} | {color:red} 1m 22s{color} | {color:red} hbase-server: The patch generated 1 new + 33 unchanged - 0 fixed = 34 total (was 33) {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} shadedjars {color} | {color:green} 4m 44s{color} | {color:green} patch has no errors when building our shaded downstream artifacts. {color} | | {color:green}+1{color} | {color:green} hadoopcheck {color} | {color:green} 10m 23s{color} | {color:green} Patch does not cause any errors with Hadoop 2.7.4 or 3.0.0. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 3m 38s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 58s{color} | {color:green} the patch passed {color} | || || || || {color:brown} Other Tests {color} || | {color:green}+1{color} | {color:green} unit {color} | {color:green} 3m 3s{color} | {color:green} hbase-common in the patch passed. {color} | | {color:red}-1{color} | {color:red} unit {color} | {color:red}272m 31s{color} | {color:red} hbase-server in the patch failed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 53s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black}326m 28s{color} | {color:black} {color} | \\ \\ || Reason || Tests || | Failed junit tests | hadoop.hbase.replication.TestSyncReplicationStandbyKillRS | | | hadoop.hbase.master.procedure.TestServerCrashProcedureWithReplicas | | | hadoop.hbase.security.visibility.TestVisibilityLablesWithGroups | | | hadoop.hbase.client.TestAdmin1 | | | hadoop.hbase.security.access.TestRpcAccessChecks | \\ \\ || Subsystem || Report/Notes || | Docker | Client=17.05.0-ce Server=17.05.0-ce Image:yetus/hbase:b002b0b | | JIRA Issue | HBASE-21481 | | JIRA Patch URL |
[jira] [Commented] (HBASE-21481) [acl] Superuser's permissions should not be granted or revoked by any non-su global admin
[ https://issues.apache.org/jira/browse/HBASE-21481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16690445#comment-16690445 ] Hadoop QA commented on HBASE-21481: --- | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 14s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:green}+1{color} | {color:green} hbaseanti {color} | {color:green} 0m 0s{color} | {color:green} Patch does not have any anti-patterns. {color} | | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 2 new or modified test files. {color} | || || || || {color:brown} master Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 29s{color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 4m 28s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 2m 14s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 1m 34s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} shadedjars {color} | {color:green} 3m 58s{color} | {color:green} branch has no errors when building our shaded downstream artifacts. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 2m 34s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 46s{color} | {color:green} master passed {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 13s{color} | {color:blue} Maven dependency ordering for patch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 4m 21s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 2m 12s{color} | {color:green} the patch passed {color} | | {color:red}-1{color} | {color:red} javac {color} | {color:red} 1m 45s{color} | {color:red} hbase-server generated 1 new + 187 unchanged - 1 fixed = 188 total (was 188) {color} | | {color:red}-1{color} | {color:red} checkstyle {color} | {color:red} 0m 23s{color} | {color:red} hbase-common: The patch generated 1 new + 7 unchanged - 0 fixed = 8 total (was 7) {color} | | {color:red}-1{color} | {color:red} checkstyle {color} | {color:red} 1m 11s{color} | {color:red} hbase-server: The patch generated 3 new + 33 unchanged - 0 fixed = 36 total (was 33) {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} shadedjars {color} | {color:green} 3m 58s{color} | {color:green} patch has no errors when building our shaded downstream artifacts. {color} | | {color:green}+1{color} | {color:green} hadoopcheck {color} | {color:green} 8m 51s{color} | {color:green} Patch does not cause any errors with Hadoop 2.7.4 or 3.0.0. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 2m 54s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 49s{color} | {color:green} the patch passed {color} | || || || || {color:brown} Other Tests {color} || | {color:green}+1{color} | {color:green} unit {color} | {color:green} 2m 52s{color} | {color:green} hbase-common in the patch passed. {color} | | {color:red}-1{color} | {color:red} unit {color} | {color:red}145m 6s{color} | {color:red} hbase-server in the patch failed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 50s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black}190m 46s{color} | {color:black} {color} | \\ \\ || Reason || Tests || | Failed junit tests | hadoop.hbase.client.TestScannerTimeout | | | hadoop.hbase.security.visibility.TestVisibilityLablesWithGroups | \\ \\ || Subsystem || Report/Notes || | Docker | Client=17.05.0-ce Server=17.05.0-ce Image:yetus/hbase:b002b0b | | JIRA Issue | HBASE-21481 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12948585/HBASE-21481.master.001.patch | | Optional Tests | dupname asflicense javac javadoc unit findbugs shadedjars hadoopcheck hbaseanti
[jira] [Commented] (HBASE-21481) [acl] Superuser's permissions should not be granted or revoked by any non-su global admin
[ https://issues.apache.org/jira/browse/HBASE-21481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16690391#comment-16690391 ] Reid Chan commented on HBASE-21481: --- * Add a check on target user/group where he is a superuser or a user in supergroup. * Add a new test: {{TestRpcAccessChecks#testGrantRevokeDeniedOnSuperUsersGroups}} which includes group permission test cases. * Change visibility of {{TestingGroups}} to _public_ for test, otherwise, it can't be initialized in AccessChecker. > [acl] Superuser's permissions should not be granted or revoked by any non-su > global admin > - > > Key: HBASE-21481 > URL: https://issues.apache.org/jira/browse/HBASE-21481 > Project: HBase > Issue Type: Improvement >Reporter: Reid Chan >Assignee: Reid Chan >Priority: Major > Labels: ACL, security-issue > Fix For: 3.0.0, 2.2.0 > > Attachments: HBASE-21481.master.001.patch > > > Superusers are {{hbase.superuser}} listed in configuration and plus the one > who start master process, these two may be overlap. > A superuser must be a global admin, but a global admin may not be a > superuser, possibly granted afterwards. > For now, an non-su global admin with a Global.ADMIN permission can grant or > revoke any superuser's permission, accidentally or deliberately. > The purpose of this issue is to ban this action. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)