[
https://issues.apache.org/jira/browse/HBASE-12641?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14235885#comment-14235885
]
Andrew Purtell commented on HBASE-12641:
----------------------------------------
Sure this makes sense. We were not expecting that there would be "other"
superusers than the HBase service account needing to access znodes, but these
changes support that use case and seem fine, except:
{code}
--- hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
+++ hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
@@ -949,8 +951,17 @@ public class ZKUtil {
conf.get("hbase.zookeeper.client.keytab.file") != null);
}
- private static List<ACL> createACL(ZooKeeperWatcher zkw, String node) {
+ private static ArrayList<ACL> createACL(ZooKeeperWatcher zkw, String node) {
+ if (!node.startsWith(zkw.baseZNode)) {
+ return Ids.OPEN_ACL_UNSAFE;
+ }
if (isSecureZooKeeper(zkw.getConfiguration())) {
+ String superUser = zkw.getConfiguration().get("hbase.superuser");
+ ArrayList<ACL> acls = new ArrayList<ACL>();
+ // add permission to hbase supper user
+ if (superUser != null) {
+ acls.add(new ACL(Perms.ALL, new Id("auth", superUser)));
+ }
// Certain znodes are accessed directly by the client,
// so they must be readable by non-authenticated clients
if ((node.equals(zkw.baseZNode) == true) ||
{code}
Why the 'if (!node.startsWith(zkw.baseZNode))' shortcut? If not
isSecureZooKeeper() then we will fall through and return OPEN_ACL_UNSAFE
anyway. If this is meant as part of handling when isSecureZooKeeper() is true,
then move the shortcut inside that conditional.
> Grant all permissions of hbase zookeeper node to hbase superuser in a secure
> cluster
> ------------------------------------------------------------------------------------
>
> Key: HBASE-12641
> URL: https://issues.apache.org/jira/browse/HBASE-12641
> Project: HBase
> Issue Type: Improvement
> Components: Zookeeper
> Reporter: Liu Shaohui
> Assignee: Liu Shaohui
> Priority: Minor
> Fix For: 1.0.0
>
> Attachments: HBASE-12641-v1.diff
>
>
> Currently in a secure cluster, only the master/regionserver kerberos user can
> manage the znode of hbase. But he master/regionserver kerberos user is for
> rpc connection and we usually use another super user to manage the cluster.
> In some special scenarios, we need to manage the data of znode with the
> supper user.
> eg:
> a, To get the data of the znode for debugging.
> b, HBASE-8253: We need to delete the znode for the corrupted hlog to avoid it
> block the replication.
> So we grant all permissions of hbase zookeeper node to hbase superuser during
> creating these znodes.
> Suggestions are welcomed.
> [~apurtell]
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
