[
https://issues.apache.org/jira/browse/HBASE-15577?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16068043#comment-16068043
]
Shibin Zhang commented on HBASE-15577:
--------------------------------------
Is this patch available?
> there need be a mechanism to enable ZK's ACL check when the authentication
> strategy is simple
> ---------------------------------------------------------------------------------------------
>
> Key: HBASE-15577
> URL: https://issues.apache.org/jira/browse/HBASE-15577
> Project: HBase
> Issue Type: Improvement
> Affects Versions: 1.1.3
> Reporter: chenxu
> Assignee: chenxu
> Attachments: HBASE-15577-02.patch, HBASE-15577-03.patch,
> HBASE-15577.patch, zk-set-acl.patch
>
>
> if the hbase.security.authentication is set to simple, the ZKUtil.createACL
> just return Ids.OPEN_ACL_UNSAFE, means that there is no ACL check on the ZK's
> node.
> we can refactoring this to enables the ACL's check function
> manual steps to verify the patch
> *1.set this property in the hbase-site.xml*
> {quote}
> hbase.security.authentication(simple)
> hbase.zookeeper.acl (digest:admin:0DPiKuNIrrVmD8IUCuw1hQxNqZc=:cdrwa)
> hbase.zookeeper.auth(digest:admin)
> {quote}
> the digest can generate by the
> DigestAuthenticationProvider.generateDigest("admin")
> *2.start the cluster*
> *3.verify the zk's node*
> {quote}
> (1)getAcl /hbase, result is:
> 'digest,'admin:0DPiKuNIrrVmD8IUCuw1hQxNqZc= : cdrwa
> 'world,'anyone: r
> (2)getAcl /hbase/table-lock, result is:
> 'digest,'admin:0DPiKuNIrrVmD8IUCuw1hQxNqZc= : cdrwa
> {quote}
> if the node is below, all the client can read the node, but only the
> server(Regionserver & Master which has the auth info) can modify it
> {quote}
> /hbase
> /hbase/meta-region-server
> /hbase/master
> /hbase/hbaseid
> /hbase/rs
> /hbase/table
> /hbase/table/$tableName
> {quote}
> otherwise, only the server can read and modify the node, the Client can't see
> them
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
