[jira] [Commented] (HBASE-13768) ZooKeeper znodes are bootstrapped with insecure ACLs in a secure configuration

Wed, 27 May 2015 17:50:15 -0700 

    [ 
https://issues.apache.org/jira/browse/HBASE-13768?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14562105#comment-14562105
 ] 

Hudson commented on HBASE-13768:
--------------------------------

FAILURE: Integrated in HBase-0.98 #1006 (See 
[https://builds.apache.org/job/HBase-0.98/1006/])
HBASE-13768 ZooKeeper znodes are bootstrapped with insecure ACLs in a secure 
configuration (Enis Soztutar) (apurtell: rev 
f65d1639887068f812f3e26ddeeedd6d9f987436)
* 
hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZooKeeperWatcher.java
* hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
* hbase-server/src/main/java/org/apache/hadoop/hbase/master/HMaster.java
* 
hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/RecoverableZooKeeper.java
* 
hbase-it/src/test/java/org/apache/hadoop/hbase/test/IntegrationTestZKAndFSPermissions.java
* 
hbase-client/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZooKeeperWatcher.java


> ZooKeeper znodes are bootstrapped with insecure ACLs in a secure configuration
> ------------------------------------------------------------------------------
>
>                 Key: HBASE-13768
>                 URL: https://issues.apache.org/jira/browse/HBASE-13768
>             Project: HBase
>          Issue Type: Bug
>            Reporter: Andrew Purtell
>            Assignee: Enis Soztutar
>            Priority: Blocker
>             Fix For: 2.0.0, 0.98.13, 1.0.2, 1.2.0, 1.1.1, 0.98.12.1, 1.0.1.1, 
> 1.1.0.1
>
>         Attachments: HBASE-13768-0.98.patch, HBASE-13768-branch-1.0.patch, 
> HBASE-13768-branch-1.patch, HBASE-13768_v1.patch, HBASE-13768_v2.patch, 
> HBASE-13768_v3.patch, HBASE-13768_v4.patch
>
>
> A logic error causes HBase in most secure configuration deployments to handle 
> its coordination state in ZooKeeper via insecure ACLs. Anyone with remote 
> unauthenticated network access to the ZooKeeper quorum, which by definition 
> includes all HBase clients, can make use of this opening to violate the 
> operational integrity of the system. For example, critical znodes can be 
> deleted, causing outages. It is possible to introduce rogue replication 
> endpoints. It is possible to direct the distributed log splitting facility to 
> split arbitrary files in HDFS.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to