[jira] [Commented] (HBASE-18323) Remove multiple ACLs for the same user in kerberos

Thu, 06 Jul 2017 07:55:35 -0700 

    [ 
https://issues.apache.org/jira/browse/HBASE-18323?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16076635#comment-16076635
 ] 

Josh Elser commented on HBASE-18323:
------------------------------------

bq.  why we use Ids.CREATOR_ALL_ACL ? maybe ,it's reasonable for user to set 
the servcie user the same as superuser.

We use CREATOR_ALL_ACL to signify that the user creating the ZNode (the HBase 
"service") should have permission to do everything to that node.

bq. If we set the service user not the same as superuser , this service user 
may be add to znode acl 

Exactly. The typical case is that there is one superuser which is the same as 
the "service" user. However, there may be other cases where the service user is 
not explicitly listed as a superuser. In this case, the service user should 
still have full access to the znodes it creates. It is a semantic point that 
CREATOR_ALL_ACL should be used as that is what we're ultimately granting 
permissions on.

> Remove multiple ACLs for the same user in kerberos
> --------------------------------------------------
>
>                 Key: HBASE-18323
>                 URL: https://issues.apache.org/jira/browse/HBASE-18323
>             Project: HBase
>          Issue Type: Bug
>    Affects Versions: 1.2.0, 3.0.0
>            Reporter: Shibin Zhang
>            Priority: Minor
>         Attachments: HBASE-18323.patch, HBASE-18323-V2.patch, 
> HBASE-18323-V3.patch
>
>
> When deploy hbase in kerberos way ,there will be multiple acls in znode :
> 'world,'anyone
> : r
> 'sasl,'hbase
> : cdrwa
> 'sasl,'hbase
> : cdrwa
> I also see the related issue and apply the patch, like  
> https://issues.apache.org/jira/browse/HBASE-17717 
> but in my environment ,this situation still appear,
> After dig into the code , i found the reason in source code  ZKUtil.createAcl 
>  is
>  if (zkw.isClientReadable(node)) {
>         LOG.error("isSecureZooKeeper user: clientReadable");
>         acls.addAll(Ids.CREATOR_ALL_ACL);
>         acls.addAll(Ids.READ_ACL_UNSAFE);
>       } else {
>         LOG.error("isSecureZooKeeper user: clientReadable no");
>         acls.addAll(Ids.CREATOR_ALL_ACL);
>       } 
>   acls.addAll(Ids.CREATOR_ALL_ACL);   
>   
>   Id AUTH_IDS = new Id("auth", "");
> ArrayList<ACL> CREATOR_ALL_ACL = new ArrayList(Collections.singletonList(new 
> ACL(31, AUTH_IDS)));
> AUTH_IDS   with  "auth " will result  current connection auth user  add to 
> znode acl ,
> so it will appear multiple acls for same users.
> I think this line of code  we can remove  :  
> acls.addAll(Ids.CREATOR_ALL_ACL);   



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to