zhanglu153 created ZOOKEEPER-4996:
-------------------------------------
Summary: The appearance of the 'auth' schema leads to invalid
znode authentication
Key: ZOOKEEPER-4996
URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4996
Project: ZooKeeper
Issue Type: Bug
Components: server
Affects Versions: 3.4.14
Reporter: zhanglu153
Attachments: image-2025-11-25-10-45-49-204.png,
image-2025-11-25-10-47-57-520.png, image-2025-11-25-10-51-03-165.png
After calling getACL, multiple znodes returned auth schema, causing the client
to throw NoAuth exception.
The operation steps are as follows:
* Configure in jaas.conf:
{code:java}
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/cloud/service/zookeeper/conf/hbase.keytab"
storeKey=true
useTicketCache=false
principal="[email protected]";
}; {code}
* zkCli.sh server 192.168.180.23 performs hbase user authentication, and it
can be found that there are some znodes with incorrect permissions, use
Zookeeper super administrator to query the permissions of znode with incorrect
permissions. !image-2025-11-25-10-51-03-165.png!
*
{code:java}
getAcl /hbase/replication/peers
'auth,'
: cdrwa
getAcl /hbase/hbaseid
'auth,'
: cdrwa
'world,'anyone
: r{code}
There are the following znodes with permission issues, including some znodes
for hive in addition to hbase:
* /hbase/replication/peers 'auth,': cdrwa
* /hbase/replication/rs 'auth,': cdrwa
* /hbase/table-lock/hdp_ns:spark_test 'auth,': cdrwa
* /hbase/flush-table-proc/abort 'auth,': cdrwa
* /hbase/flush-table-proc/acquired 'auth,': cdrwa
* /hbase/flush-table-proc/reached 'auth,': cdrwa
* /hbase/online-snapshot/abort 'auth,': cdrwa
* /hbase/online-snapshot/acquired 'auth,': cdrwa
* /hbase/online-snapshot/reached 'auth,': cdrwa
* /hbase/tokenauth/keys 'auth,': cdrwa
* /hbase/tokenauth/keys/22 'auth,': cdrwa
* /hbase/tokenauth/keys/23 'auth,': cdrwa
* /hbase/tokenauth/keys/24 'auth,': cdrwa
* /hbase/tokenauth/keys/18 'auth,': cdrwa
* /hbase/tokenauth/keys/19 'auth,': cdrwa
* /hbase/tokenauth/keys/20 'auth,': cdrwa
* /hbase/tokenauth/keys/21 'auth,': cdrwa
* /hbase/recovering-regions 'auth,': cdrwa
* /hbase/draining 'auth,': cdrwa
* /hbase/namespace 'auth,': cdrwa
* /hbase/namespace/default 'auth,': cdrwa
* /hbase/namespace/hdp_ns 'auth,': cdrwa
* /hbase/namespace/hbase 'auth,': cdrwa
* /hbase/hbaseid 'auth,':
cdrwa 'world,'anyone: r
* /hbase/table 'auth,':
cdrwa 'world,'anyone: r
* /hbase/table/hbase:meta 'auth,': cdrwa
'world,'anyone: r
* /hbase/table/hbase:namespace 'auth,': cdrwa
'world,'anyone: r
* /hbase/table/hdp_ns:spark_test_sink 'auth,': cdrwa
'world,'anyone: r
* /hbase/table/hdp_ns:spark_test 'auth,': cdrwa
'world,'anyone: r
* /hbase/table/hdp_ns:yhb_tbl_1 'auth,': cdrwa
'world,'anyone: r
* /hbase/table/hdp_ns:flink_test 'auth,': cdrwa
'world,'anyone: r
* /hbase/table/hdp_ns:flink_test1 'auth,': cdrwa
'world,'anyone: r
* /hivedelegationMETASTORE/keys/0000000019
'auth,': cdrwa
* /hivedelegationMETASTORE/keys/0000000021
'auth,': cdrwa
* /hivedelegationMETASTORE/keys/0000000020
'auth,': cdrwa
* /hivedelegationHIVESERVER2/keys/0000000019
'auth,': cdrwa
* /hivedelegationHIVESERVER2/keys/0000000021
'auth,': cdrwa
* /hivedelegationHIVESERVER2/keys/0000000020
'auth,': cdrwa
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
