[jira] [Commented] (HBASE-15577) there need be a mechanism to enable ZK's ACL check when the authentication strategy is simple

Yu Li (JIRA) Wed, 06 Apr 2016 06:20:07 -0700

    [ 
https://issues.apache.org/jira/browse/HBASE-15577?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15228223#comment-15228223
 ]


Yu Li commented on HBASE-15577:
-------------------------------

bq. the reason why of the HMaster.MASTER & HRegionServer.REGIONSERVER not used 
is because of hbase-client has no dependency on the hbase-server
Ok, then I suggest to move the constants into HConstants, and use them for all, 
if necessary.

bq. the client just need some auth to read the ZK's node, but can't modify them.
The auth config is read from the configuration file, right? IMO it's better to 
control the access through configuration (wrong auth won't be able to access). 
OTOH, since ZookeeperWatcher is {{IA.Private}}, if no special design for UT 
case, I think we could even remove the identifier check.

W.r.t unit test, it would be great if you could refer to {{TestZooKeeperACL}} 
to add a case for the sanity test steps in description. Thanks.

> there need be a mechanism to enable ZK's ACL check when the authentication 
> strategy is simple
> ---------------------------------------------------------------------------------------------
>
>                 Key: HBASE-15577
>                 URL: https://issues.apache.org/jira/browse/HBASE-15577
>             Project: HBase
>          Issue Type: Improvement
>    Affects Versions: 1.1.3
>            Reporter: chenxu
>            Assignee: chenxu
>         Attachments: HBASE-15577-02.patch, HBASE-15577.patch, zk-set-acl.patch
>
>
> if the hbase.security.authentication is set to simple, the ZKUtil.createACL 
> just return Ids.OPEN_ACL_UNSAFE, means that there is no ACL check on the ZK's 
> node.
> we can refactoring this to enables the ACL's check function
> manual steps to verify the patch
> *1.set this property in the hbase-site.xml*
> {quote}
>    hbase.security.authentication(simple)
>    hbase.zookeeper.acl (digest:admin:0DPiKuNIrrVmD8IUCuw1hQxNqZc=:cdrwa)
>    hbase.zookeeper.auth(digest:admin)
> {quote}
> the digest can generate by the 
> DigestAuthenticationProvider.generateDigest("admin")
> *2.start the cluster*
> *3.verify the zk's node*
> {quote}
>    (1)getAcl /hbase, result is:
>        'digest,'admin:0DPiKuNIrrVmD8IUCuw1hQxNqZc= : cdrwa
>        'world,'anyone: r
>    (2)getAcl /hbase/table-lock, result is:
>        'digest,'admin:0DPiKuNIrrVmD8IUCuw1hQxNqZc= : cdrwa
> {quote}
> if the node is below, all the client can read the node, but only the 
> server(Regionserver & Master which has the auth info) can modify it
> {quote}
>   /hbase
>   /hbase/meta-region-server
>   /hbase/master
>   /hbase/hbaseid
>   /hbase/rs
>   /hbase/table
>   /hbase/table/$tableName
> {quote}
> otherwise, only the server can read and modify the node, the Client can't see 
> them



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (HBASE-15577) there need be a mechanism to enable ZK's ACL check when the authentication strategy is simple

Reply via email to