[jira] [Commented] (HBASE-13768) ZooKeeper znodes are bootstrapped with insecure ACLs in a secure configuration

Mon, 25 May 2015 10:03:37 -0700 

    [ 
https://issues.apache.org/jira/browse/HBASE-13768?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14558391#comment-14558391
 ] 

Andrew Purtell commented on HBASE-13768:
----------------------------------------

The incorrect ACLs can be fixed with immediate effect using the following zkcli 
commands:

{noformat}
    setAcl /hbase world:anyone:r,sasl:hbase:cdrwa
    setAcl /hbase/backup-masters sasl:hbase:cdrwa
    setAcl /hbase/draining sasl:hbase:cdrwa
    setAcl /hbase/flush-table-proc sasl:hbase:cdrwa
    setAcl /hbase/hbaseid world:anyone:r,sasl:hbase:cdrwa
    setAcl /hbase/master world:anyone:r,sasl:hbase:cdrwa
    setAcl /hbase/meta-region-server world:anyone:r,sasl:hbase:cdrwa
    setAcl /hbase/namespace sasl:hbase:cdrwa
    setAcl /hbase/online-snapshot sasl:hbase:cdrwa
    setAcl /hbase/region-in-transition sasl:hbase:cdrwa
    setAcl /hbase/recovering-regions sasl:hbase:cdrwa
    setAcl /hbase/replication sasl:hbase:cdrwa
    setAcl /hbase/rs sasl:hbase:cdrwa
    setAcl /hbase/running sasl:hbase:cdrwa
    setAcl /hbase/splitWAL sasl:hbase:cdrwa
    setAcl /hbase/table sasl:hbase:cdrwa
    setAcl /hbase/table-lock sasl:hbase:cdrwa
    setAcl /hbase/tokenauth sasl:hbase:cdrwa
{noformat}

Note that not all of these znodes exist in an 0.98 deployment, so ensure you 
have spelled the znode correctly and otherwise ignore any 'not found' errors 
there. 

Without a logic fix, insecure ACLs will return should znodes be cleared or the 
code used to bootstrap another cluster.

> ZooKeeper znodes are bootstrapped with insecure ACLs in a secure configuration
> ------------------------------------------------------------------------------
>
>                 Key: HBASE-13768
>                 URL: https://issues.apache.org/jira/browse/HBASE-13768
>             Project: HBase
>          Issue Type: Bug
>            Reporter: Andrew Purtell
>            Assignee: Enis Soztutar
>            Priority: Blocker
>             Fix For: 2.0.0, 0.98.13, 1.0.2, 1.2.0, 1.1.1, 0.98.12.1, 1.0.1.1, 
> 1.1.0.1
>
>
> A logic error causes HBase in most secure configuration deployments to handle 
> its coordination state in ZooKeeper via insecure ACLs. Anyone with remote 
> unauthenticated network access to the ZooKeeper quorum, which by definition 
> includes all HBase clients, can make use of this opening to violate the 
> operational integrity of the system. For example, critical znodes can be 
> deleted, causing outages. It is possible to introduce rogue replication 
> endpoints. It is possible to direct the distributed log splitting facility to 
> split arbitrary files in HDFS.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to