[jira] [Commented] (HBASE-6851) Race condition in TableAuthManager.updateGlobalCache()

Tue, 25 Sep 2012 11:18:09 -0700 

    [ 
https://issues.apache.org/jira/browse/HBASE-6851?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13463080#comment-13463080
 ] 

Hudson commented on HBASE-6851:
-------------------------------

Integrated in HBase-0.94-security #57 (See 
[https://builds.apache.org/job/HBase-0.94-security/57/])
    HBASE-6851  Fix race condition in TableAuthManager.updateGlobalCache() 
(Revision 1388898)

     Result = SUCCESS
garyh : 
Files : 
* 
/hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/access/TableAuthManager.java
* 
/hbase/branches/0.94/security/src/test/java/org/apache/hadoop/hbase/security/access/TestTablePermissions.java

                
> Race condition in TableAuthManager.updateGlobalCache()
> ------------------------------------------------------
>
>                 Key: HBASE-6851
>                 URL: https://issues.apache.org/jira/browse/HBASE-6851
>             Project: HBase
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 0.94.1, 0.96.0
>            Reporter: Gary Helmling
>            Assignee: Gary Helmling
>            Priority: Critical
>             Fix For: 0.94.2, 0.96.0
>
>         Attachments: HBASE-6851_2.patch, HBASE-6851_3.patch, HBASE-6851.patch
>
>
> When new global permissions are assigned, there is a race condition, during 
> which further authorization checks relying on global permissions may fail.
> In TableAuthManager.updateGlobalCache(), we have:
> {code:java}
>     USER_CACHE.clear();
>     GROUP_CACHE.clear();
>     try {
>       initGlobal(conf);
>     } catch (IOException e) {
>       // Never happens
>       LOG.error("Error occured while updating the user cache", e);
>     }
>     for (Map.Entry<String,TablePermission> entry : userPerms.entries()) {
>       if (AccessControlLists.isGroupPrincipal(entry.getKey())) {
>         GROUP_CACHE.put(AccessControlLists.getGroupName(entry.getKey()),
>                         new Permission(entry.getValue().getActions()));
>       } else {
>         USER_CACHE.put(entry.getKey(), new 
> Permission(entry.getValue().getActions()));
>       }
>     }
> {code}
> If authorization checks come in following the .clear() but before 
> repopulating, they will fail.
> We should have some synchronization here to serialize multiple updates and 
> use a COW type rebuild and reassign of the new maps.
> This particular issue crept in with the fix in HBASE-6157, so I'm flagging 
> for 0.94 and 0.96.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to