[jira] [Updated] (HBASE-25407) list_regions make potential sensitive information disclosure

[lujie (Jira)]

     [ 
https://issues.apache.org/jira/browse/HBASE-25407?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

lujie updated HBASE-25407:
--------------------------
    Description: 
I found that I can get other users' region information which is not expected.
  
 For example i create a table as sysadmin, then I can read the region 
information as user1.
 !image-2020-12-18-13-00-20-126.png!
  
 I have found that list_regions is introduced by 
https://issues.apache.org/jira/browse/HBASE-14925

 

we can also get the region info by rest  

 

!image-2020-12-18-13-07-00-777.png!

 
i think we expose more informaiton, we will be in more danger case, and even be 
attacked by others. 
  

  was:
I found that I can get other users' region information which is not expected.
  
 For example i create a table as sysadmin, then I can read the region 
information as user1.
 !image-2020-12-18-13-00-20-126.png!
  
 I have found that list_regions is introduced by 
https://issues.apache.org/jira/browse/HBASE-14925

 

we can also get the region info by rest  

 

!image-2020-12-18-13-07-00-777.png!

 
I am just confused about why there  is no ACL on the regions, because  i think 
we expose more informaiton, we will be in more danger case, and even be 
attacked by others. 
 


> list_regions make potential sensitive information disclosure
> ------------------------------------------------------------
>
>                 Key: HBASE-25407
>                 URL: https://issues.apache.org/jira/browse/HBASE-25407
>             Project: HBase
>          Issue Type: Bug
>            Reporter: lujie
>            Priority: Critical
>             Fix For: 3.0.0-alpha-1, 1.7.0, 2.2.7, 2.3.4, 2.5.0, 2.4.1
>
>         Attachments: image-2020-12-18-13-00-20-126.png, 
> image-2020-12-18-13-07-00-777.png
>
>
> I found that I can get other users' region information which is not expected.
>   
>  For example i create a table as sysadmin, then I can read the region 
> information as user1.
>  !image-2020-12-18-13-00-20-126.png!
>   
>  I have found that list_regions is introduced by 
> https://issues.apache.org/jira/browse/HBASE-14925
>  
> we can also get the region info by rest  
>  
> !image-2020-12-18-13-07-00-777.png!
>  
> i think we expose more informaiton, we will be in more danger case, and even 
> be attacked by others. 
>   



--
This message was sent by Atlassian Jira
(v8.3.4#803005)