[jira] [Commented] (HBASE-14475) Region split requests are always audited with "hbase" user rather than request user

Fri, 25 Sep 2015 11:52:42 -0700 

    [ 
https://issues.apache.org/jira/browse/HBASE-14475?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14908499#comment-14908499
 ] 

Enis Soztutar commented on HBASE-14475:
---------------------------------------

+1 for v3. Though lacking sufficient testing in this area bothers me. Is there 
a way we can add a UT for this? If not UT, we should make sure that at least 
the patch is verified. 

> Region split requests are always audited with "hbase" user rather than 
> request user
> -----------------------------------------------------------------------------------
>
>                 Key: HBASE-14475
>                 URL: https://issues.apache.org/jira/browse/HBASE-14475
>             Project: HBase
>          Issue Type: Bug
>            Reporter: Enis Soztutar
>            Assignee: Ted Yu
>             Fix For: 2.0.0, 1.2.0, 1.3.0, 0.98.15, 1.0.3, 1.1.3
>
>         Attachments: 14475-branch-1-v2.txt, 14475-v2.txt, 14475-v3.txt
>
>
> [~madhan.neethiraj] from Ranger reported that when a region split request is 
> initiated from the user, we always audit (and do the permission check) 
> against the hbase user, not the request user. 
> The issue is that a split request that is coming from the user is only 
> processed at a later time from the CompactSplitThread asynchronously to the 
> splitRegion RPC.
> RSRpcServices.splitRegion() only does a flush from the handler thread and 
> then calls regionServer.compactSplitThread.requestSplit() which puts a 
> SplitRequest to the split queue. The split request is handled by the split 
> executor from CompactSplitThread.
> Since the split is actually executed from the compact split thread, the 
> preSplit() for the AccessController is called from the executor thread. In 
> this thread, we no longer have the user who initially requested the split, so 
> the user in the context (UGI) is "hbase", causing the AC.preSplit() access 
> control check to be always be performed against the hbase user, not the user 
> who have submitted the request. The audit log also contains "hbase" user 
> rather than the actual user.
> Luckily, the split forces a flush to the region in-line (from the handler 
> thread), which requires a {{CREATE|ADMIN}} permission. split requires 
> {{ADMIN}}, but due to this bug {{CREATE}} is also sufficient (although we 
> have not verified it manually). {{CREATE}} permission can do flush and 
> compactions, so this is not a security issue (I think). 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to