[
https://issues.apache.org/jira/browse/HBASE-15577?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15222886#comment-15222886
]
Yu Li commented on HBASE-15577:
-------------------------------
I think this is a good way to supply some light-weight security. Some review
points:
In {{ZKUtil}}:
{noformat}
+ } catch (IOException e) {
+ e.printStackTrace();
+ }
{noformat}
I think we should fall back to return {{Ids.OPEN_ACL_UNSAFE}} here.
In {{ZooKeeperWatcher}}:
{noformat}
+ if("master".equals(identifier) || "regionserver".equals(identifier)){
{noformat}
Why only read auth for HMaster/RS? IMO we should also support client auth
right? If any special reason to limit the auth to master/rs, we should use
{{HMaster.MASTER}} and {{HRegionServer.REGIONSERVER}} instead of the hard-coded
strings.
Please also add some UT case for this feature. Thanks.
> there need be a mechanism to enable ZK's ACL check when the authentication
> strategy is simple
> ---------------------------------------------------------------------------------------------
>
> Key: HBASE-15577
> URL: https://issues.apache.org/jira/browse/HBASE-15577
> Project: HBase
> Issue Type: Improvement
> Affects Versions: 1.1.3
> Reporter: chenxu
> Assignee: chenxu
> Attachments: HBASE-15577.patch, zk-set-acl.patch
>
>
> if the hbase.security.authentication is set to simple, the ZKUtil.createACL
> just return Ids.OPEN_ACL_UNSAFE, means that there is no ACL check on the ZK's
> node.
> we can refactoring this to enables the ACL's check function
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
