[jira] [Created] (HBASE-18323) Remove multiple ACLs for the same user in kerberos

Shibin Zhang (JIRA) Tue, 04 Jul 2017 23:55:22 -0700

Shibin Zhang created HBASE-18323:
------------------------------------

             Summary: Remove multiple ACLs for the same user in kerberos
                 Key: HBASE-18323
                 URL: https://issues.apache.org/jira/browse/HBASE-18323
             Project: HBase
          Issue Type: Bug
    Affects Versions: 3.0.0
            Reporter: Shibin Zhang
            Priority: Critical



When deploy hbase in kerberos way ,there will be multiple acls in znode :
'world,'anyone
: r
'sasl,'hbase
: cdrwa
'sasl,'hbase
: cdrwa

I also see the related issue and apply the patch, like  
https://issues.apache.org/jira/browse/HBASE-17717 
but in my environment ,this situation still appear,

After dig into the code , i found the reason in source code  ZKUtil.createAcl  
is

 if (zkw.isClientReadable(node)) {
        LOG.error("isSecureZooKeeper user: clientReadable");
        acls.addAll(Ids.CREATOR_ALL_ACL);
        acls.addAll(Ids.READ_ACL_UNSAFE);
      } else {
        LOG.error("isSecureZooKeeper user: clientReadable no");
        acls.addAll(Ids.CREATOR_ALL_ACL);
      } 


  acls.addAll(Ids.CREATOR_ALL_ACL);   
  
  Id AUTH_IDS = new Id("auth", "");

ArrayList<ACL> CREATOR_ALL_ACL = new ArrayList(Collections.singletonList(new 
ACL(31, AUTH_IDS)));


AUTH_IDS   with  "auth " will result  current connection auth user  add to 
znode acl ,
so it will appear multiple acls for same users.


I think this line of code  we can remove  :  acls.addAll(Ids.CREATOR_ALL_ACL);  
 



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Created] (HBASE-18323) Remove multiple ACLs for the same user in kerberos

Reply via email to