[
https://issues.apache.org/jira/browse/HBASE-9973?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13825559#comment-13825559
]
Himanshu Vashishtha commented on HBASE-9973:
--------------------------------------------
Yes, that's why I removed the compaction call, thanks. Yes, the region is
flushed when we close it.
Good call, I skipped the ACL_GLOBAL_NAME variable. Added it and moved the
result check up.
mvn test -Dtest=Test*Namespace* passes on local. Also, ran the upgrade against
a 94 installation.
On a 94 set up:
{code}
hbase(main):006:0> scan '_acl_'
ROW COLUMN+CELL
TestTable column=l:root, timestamp=1384659937736,
value=RW
_acl_ column=l:root, timestamp=1384659909517,
value=CRA
_acl_ column=l:root2, timestamp=1384659916521,
value=CRA
2 row(s) in 0.0520 seconds
{code}
After upgrade to a 96 setup:
{code}
hbase(main):002:0> scan 'hbase:acl'
ROW COLUMN+CELL
TestTable column=l:root,
timestamp=1384659937736, value=RW
hbase:acl column=l:root,
timestamp=1384797939800, value=CRA
hbase:acl column=l:root2,
timestamp=1384797939800, value=CRA
2 row(s) in 0.0190 seconds
{code}
> [ACL]: Users with 'Admin' ACL permission will lose permissions after upgrade
> to 0.96.x from 0.94.x or 0.92.x
> ------------------------------------------------------------------------------------------------------------
>
> Key: HBASE-9973
> URL: https://issues.apache.org/jira/browse/HBASE-9973
> Project: HBase
> Issue Type: Bug
> Components: security
> Affects Versions: 0.96.0, 0.96.1
> Reporter: Aleksandr Shulman
> Assignee: Himanshu Vashishtha
> Labels: acl
> Fix For: 0.96.1
>
> Attachments: 9973-v2.patch, 9973.patch
>
>
> In our testing, we have uncovered that the ACL permissions for users with the
> 'A' credential do not hold after the upgrade to 0.96.x.
> This is because in the ACL table, the entry for the admin user is a
> permission on the '_acl_' table with permission 'A'. However, because of the
> namespace transition, there is no longer an '_acl_' table. Therefore, that
> entry in the hbase:acl table is no longer valid.
> Example:
> {code}hbase(main):002:0> scan 'hbase:acl'
> ROW COLUMN+CELL
>
> TestTable column=l:hdfs, timestamp=1384454830701, value=RW
>
> TestTable column=l:root, timestamp=1384455875586, value=RWCA
>
> _acl_ column=l:root, timestamp=1384454767568, value=C
>
> _acl_ column=l:tableAdmin, timestamp=1384454788035, value=A
>
> hbase:acl column=l:root, timestamp=1384455875786, value=C
>
> {code}
> In this case, the following entry becomes meaningless:
> {code} _acl_ column=l:tableAdmin, timestamp=1384454788035,
> value=A {code}
> As a result,
> Proposed fix:
> I see the fix being relatively straightforward. As part of the migration,
> change any entries in the '_acl_' table with key '_acl_' into a new row with
> key 'hbase:acl', all else being the same. And the old entry would be deleted.
> This can go into the standard migration script that we expect users to run.
--
This message was sent by Atlassian JIRA
(v6.1#6144)
