[jira] [Commented] (HBASE-9973) [ACL]: Users with 'Admin' ACL permission will lose permissions after upgrade to 0.96.x from 0.94.x or 0.92.x

Mon, 18 Nov 2013 11:53:46 -0800 

    [ 
https://issues.apache.org/jira/browse/HBASE-9973?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13825693#comment-13825693
 ] 

Hadoop QA commented on HBASE-9973:
----------------------------------

{color:red}-1 overall{color}.  Here are the results of testing the latest 
attachment 
  http://issues.apache.org/jira/secure/attachment/12614439/9973-v2.patch
  against trunk revision .

    {color:green}+1 @author{color}.  The patch does not contain any @author 
tags.

    {color:red}-1 tests included{color}.  The patch doesn't appear to include 
any new or modified tests.
                        Please justify why no new tests are needed for this 
patch.
                        Also please list what manual steps were performed to 
verify this patch.

    {color:green}+1 hadoop1.0{color}.  The patch compiles against the hadoop 
1.0 profile.

    {color:green}+1 hadoop2.0{color}.  The patch compiles against the hadoop 
2.0 profile.

    {color:red}-1 javadoc{color}.  The javadoc tool appears to have generated 
10 warning messages.

    {color:green}+1 javac{color}.  The applied patch does not increase the 
total number of javac compiler warnings.

    {color:green}+1 findbugs{color}.  The patch does not introduce any new 
Findbugs (version 1.3.9) warnings.

    {color:green}+1 release audit{color}.  The applied patch does not increase 
the total number of release audit warnings.

    {color:green}+1 lineLengths{color}.  The patch does not introduce lines 
longer than 100

    {color:red}-1 site{color}.  The patch appears to cause mvn site goal to 
fail.

    {color:green}+1 core tests{color}.  The patch passed unit tests in .

Test results: 
https://builds.apache.org/job/PreCommit-HBASE-Build/7919//testReport/
Findbugs warnings: 
https://builds.apache.org/job/PreCommit-HBASE-Build/7919//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-prefix-tree.html
Findbugs warnings: 
https://builds.apache.org/job/PreCommit-HBASE-Build/7919//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-client.html
Findbugs warnings: 
https://builds.apache.org/job/PreCommit-HBASE-Build/7919//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-common.html
Findbugs warnings: 
https://builds.apache.org/job/PreCommit-HBASE-Build/7919//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-protocol.html
Findbugs warnings: 
https://builds.apache.org/job/PreCommit-HBASE-Build/7919//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-server.html
Findbugs warnings: 
https://builds.apache.org/job/PreCommit-HBASE-Build/7919//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-hadoop1-compat.html
Findbugs warnings: 
https://builds.apache.org/job/PreCommit-HBASE-Build/7919//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-examples.html
Findbugs warnings: 
https://builds.apache.org/job/PreCommit-HBASE-Build/7919//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-thrift.html
Findbugs warnings: 
https://builds.apache.org/job/PreCommit-HBASE-Build/7919//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-hadoop-compat.html
Console output: 
https://builds.apache.org/job/PreCommit-HBASE-Build/7919//console

This message is automatically generated.

> [ACL]: Users with 'Admin' ACL permission will lose permissions after upgrade 
> to 0.96.x from 0.94.x or 0.92.x
> ------------------------------------------------------------------------------------------------------------
>
>                 Key: HBASE-9973
>                 URL: https://issues.apache.org/jira/browse/HBASE-9973
>             Project: HBase
>          Issue Type: Bug
>          Components: migration, security
>    Affects Versions: 0.96.0, 0.96.1
>            Reporter: Aleksandr Shulman
>            Assignee: Himanshu Vashishtha
>              Labels: acl
>             Fix For: 0.96.1
>
>         Attachments: 9973-v2.patch, 9973-v2.patch, 9973.patch
>
>
> In our testing, we have uncovered that the ACL permissions for users with the 
> 'A' credential do not hold after the upgrade to 0.96.x.
> This is because in the ACL table, the entry for the admin user is a 
> permission on the '_acl_' table with permission 'A'. However, because of the 
> namespace transition, there is no longer an '_acl_' table. Therefore, that 
> entry in the hbase:acl table is no longer valid.
> Example:
> {code}hbase(main):002:0> scan 'hbase:acl'
> ROW                   COLUMN+CELL                                             
>   
>  TestTable            column=l:hdfs, timestamp=1384454830701, value=RW        
>   
>  TestTable            column=l:root, timestamp=1384455875586, value=RWCA      
>   
>  _acl_                column=l:root, timestamp=1384454767568, value=C         
>   
>  _acl_                column=l:tableAdmin, timestamp=1384454788035, value=A   
>   
>  hbase:acl            column=l:root, timestamp=1384455875786, value=C         
>   
> {code}
> In this case, the following entry becomes meaningless:
> {code} _acl_                column=l:tableAdmin, timestamp=1384454788035, 
> value=A     {code}
> As a result, 
> Proposed fix:
> I see the fix being relatively straightforward. As part of the migration, 
> change any entries in the '_acl_' table with key '_acl_' into a new row with 
> key 'hbase:acl', all else being the same. And the old entry would be deleted.
> This can go into the standard migration script that we expect users to run.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

Reply via email to