[
https://issues.apache.org/jira/browse/HBASE-13768?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14559850#comment-14559850
]
Andrew Purtell commented on HBASE-13768:
----------------------------------------
bq. Today we release this patch and we decide to not include backup-master and
region-in-transition, so they are still world readable. next month we decide to
restrict them to be non-client readable. what is the upgrade and auto-fix path
Yeah, we should make a whitelist of world-readable znode paths. Then, enumerate
znodes under the root at master startup, recursively make world readable only
if appearing in the whitelist, or recursively make private if not. I think
checking only the children of the root znode is sufficient for now. The code
could be updated later if it needs to check down additional levels.
> ZooKeeper znodes are bootstrapped with insecure ACLs in a secure configuration
> ------------------------------------------------------------------------------
>
> Key: HBASE-13768
> URL: https://issues.apache.org/jira/browse/HBASE-13768
> Project: HBase
> Issue Type: Bug
> Reporter: Andrew Purtell
> Assignee: Enis Soztutar
> Priority: Blocker
> Fix For: 2.0.0, 0.98.13, 1.0.2, 1.2.0, 1.1.1, 0.98.12.1, 1.0.1.1,
> 1.1.0.1
>
> Attachments: HBASE-13768_v1.patch, HBASE-13768_v2.patch
>
>
> A logic error causes HBase in most secure configuration deployments to handle
> its coordination state in ZooKeeper via insecure ACLs. Anyone with remote
> unauthenticated network access to the ZooKeeper quorum, which by definition
> includes all HBase clients, can make use of this opening to violate the
> operational integrity of the system. For example, critical znodes can be
> deleted, causing outages. It is possible to introduce rogue replication
> endpoints. It is possible to direct the distributed log splitting facility to
> split arbitrary files in HDFS.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
