[jira] [Updated] (HBASE-17717) Incorrect ZK ACL set for HBase superuser

[Josh Elser (JIRA)]

     [ 
https://issues.apache.org/jira/browse/HBASE-17717?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Josh Elser updated HBASE-17717:
-------------------------------
    Release Note: In previous versions of HBase, the system intended to set a 
ZooKeeper ACL on all "sensitive" ZNodes for the user specified in the 
hbase.superuser configuration property. Unfortunately, the ACL was malformed 
which resulted in the hbase.superuser being unable to access the sensitive 
ZNodes that HBase creates. This JIRA issue fixes this bug. HBase will 
automatically correct the ACLs on start so users do not need to manually 
correct the ACLs.

> Incorrect ZK ACL set for HBase superuser
> ----------------------------------------
>
>                 Key: HBASE-17717
>                 URL: https://issues.apache.org/jira/browse/HBASE-17717
>             Project: HBase
>          Issue Type: Bug
>          Components: security, Zookeeper
>            Reporter: Shreya Bhat
>            Assignee: Josh Elser
>             Fix For: 2.0.0, 1.3.1, 1.1.10, 1.2.6
>
>         Attachments: HBASE-17717.001.patch
>
>
> Shreya was doing some testing of a deploy of HBase, verifying that the ZK 
> ACLs were actually set as we expect (yay, security).
> She noticed that, in some cases, we were seeing multiple ACLs for the same 
> user.
> {noformat}
> 'world,'anyone
> : r
> 'sasl,'hbase
> : cdrwa
> 'sasl,'hbase
> : cdrwa
> {noformat}
> After digging into this (and some insight from the mighty [~enis]), we 
> realized that this was happening because of an overridden value for 
> {{hbase.superuser}}. However, the ACL value doesn't match what we'd expect to 
> see (as hbase.superuser was set to {{cstm-hbase}}).
> After digging into this code, it seems like the {{auth}} ACL scheme in 
> ZooKeeper does not work as we expect.
> {code}
>       if (superUser != null) {
>         acls.add(new ACL(Perms.ALL, new Id("auth", superUser)));
>       }
> {code}
> In the above, the {{"auth"}} scheme ignores any provided "subject" in the 
> {{Id}} object. It *only* considers the authentication of the current 
> connection. As such, our usage of this never actually sets the ACL for the 
> superuser correctly.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)