Josh Elser created HBASE-17717:
----------------------------------
Summary: Incorrect ZK ACL set for HBase superuser
Key: HBASE-17717
URL: https://issues.apache.org/jira/browse/HBASE-17717
Project: HBase
Issue Type: Bug
Components: security, Zookeeper
Reporter: Shreya Bhat
Assignee: Josh Elser
Fix For: 2.0.0, 1.3.1, 1.1.10, 1.2.6
Shreya was doing some testing of a deploy of HBase, verifying that the ZK ACLs
were actually set as we expect (yay, security).
She noticed that, in some cases, we were seeing multiple ACLs for the same user.
{noformat}
'world,'anyone
: r
'sasl,'hbase
: cdrwa
'sasl,'hbase
: cdrwa
{noformat}
After digging into this (and some insight from the mighty [~enis]), we realized
that this was happening because of an overridden value for {{hbase.superuser}}.
However, the ACL value doesn't match what we'd expect to see (as
hbase.superuser was set to {{cstm-hbase}}).
After digging into this code, it seems like the {{auth}} ACL scheme in
ZooKeeper does not work as we expect.
{code}
if (superUser != null) {
acls.add(new ACL(Perms.ALL, new Id("auth", superUser)));
}
{code}
In the above, the {{"auth"}} scheme ignores any provided "subject" in the
{{Id}} object. It *only* considers the authentication of the current
connection. As such, our usage of this never actually sets the ACL for the
superuser correctly.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
