[jira] [Commented] (HBASE-14425) In Secure Zookeeper cluster superuser will not have sufficient permission if multiple values are configured in "hbase.superuser"

Rakesh R (JIRA) Thu, 17 Sep 2015 02:35:09 -0700

    [ 
https://issues.apache.org/jira/browse/HBASE-14425?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14791839#comment-14791839
 ]


Rakesh R commented on HBASE-14425:
----------------------------------

ZooKeeper's authentication framework is pluggable. It provides set of built in 
schemes. ZooKeeper's built in ACL schemes are set on a per-user basis rather 
than based on user group. If there are 'n' users in the group, we need to 
manually add each authenticated user one by one. Please refer 
[ZooKeeperAccessControl 
|http://zookeeper.apache.org/doc/r3.4.6/zookeeperProgrammers.html#sc_ZooKeeperAccessControl]
 section to understand more.

For example,
ZK auth scheme allows us to have multiple authorized users to access a single 
znode say "/path" with the different username and password combination. Say we 
have 3 users:
{code}
username : password
user_123 : pwd_123
user_456 : pwd_456
user_789 : pwd_789
{code}
It needs to explicitly set all these users to the "/path" as list of ACL 
entries. 

Does this answer your question?

> In Secure Zookeeper cluster superuser will not have sufficient permission if 
> multiple values are configured in "hbase.superuser"
> --------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: HBASE-14425
>                 URL: https://issues.apache.org/jira/browse/HBASE-14425
>             Project: HBase
>          Issue Type: Bug
>            Reporter: Pankaj Kumar
>            Assignee: Pankaj Kumar
>             Fix For: 2.0.0
>
>         Attachments: HBASE-14425.patch
>
>
> During master intialization we are setting ACLs for the znodes.
> In ZKUtil.createACL(ZooKeeperWatcher zkw, String node, boolean 
> isSecureZooKeeper),
> {code}
>       String superUser = zkw.getConfiguration().get("hbase.superuser");
>       ArrayList<ACL> acls = new ArrayList<ACL>();
>       // add permission to hbase supper user
>       if (superUser != null) {
>         acls.add(new ACL(Perms.ALL, new Id("auth", superUser)));
>       }
> {code}
> Here we are directly setting "hbase.superuser" value to Znode which will 
> cause an issue when multiple values are configured. In "hbase.superuser" 
> multiple superusers and supergroups can be configured separated by comma. We 
> need to iterate them and set ACL.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (HBASE-14425) In Secure Zookeeper cluster superuser will not have sufficient permission if multiple values are configured in "hbase.superuser"

Reply via email to