[ https://issues.apache.org/jira/browse/HBASE-8213?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13618628#comment-13618628 ]
Hadoop QA commented on HBASE-8213: ---------------------------------- {color:green}+1 overall{color}. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12576337/HBASE-8213-trunk.patch against trunk revision . {color:green}+1 @author{color}. The patch does not contain any @author tags. {color:green}+1 tests included{color}. The patch appears to include 3 new or modified tests. {color:green}+1 hadoop2.0{color}. The patch compiles against the hadoop 2.0 profile. {color:green}+1 javadoc{color}. The javadoc tool did not generate any warning messages. {color:green}+1 javac{color}. The applied patch does not increase the total number of javac compiler warnings. {color:green}+1 findbugs{color}. The patch does not introduce any new Findbugs (version 1.3.9) warnings. {color:green}+1 release audit{color}. The applied patch does not increase the total number of release audit warnings. {color:green}+1 lineLengths{color}. The patch does not introduce lines longer than 100 {color:green}+1 site{color}. The mvn site goal succeeds with this patch. {color:green}+1 core tests{color}. The patch passed unit tests in . Test results: https://builds.apache.org/job/PreCommit-HBASE-Build/5078//testReport/ Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/5078//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-client.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/5078//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-examples.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/5078//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-protocol.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/5078//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-hadoop1-compat.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/5078//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-prefix-tree.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/5078//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-common.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/5078//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-hadoop-compat.html Findbugs warnings: https://builds.apache.org/job/PreCommit-HBASE-Build/5078//artifact/trunk/patchprocess/newPatchFindbugsWarningshbase-server.html Console output: https://builds.apache.org/job/PreCommit-HBASE-Build/5078//console This message is automatically generated. > global authorization may lose efficacy > --------------------------------------- > > Key: HBASE-8213 > URL: https://issues.apache.org/jira/browse/HBASE-8213 > Project: HBase > Issue Type: Bug > Components: security > Affects Versions: 0.95.0, 0.96.0, 0.94.7 > Reporter: Jieshan Bean > Assignee: Jieshan Bean > Priority: Critical > Attachments: HBASE-8213-94.patch, HBASE-8213-trunk.patch > > > It depends on the order of which region be opened first. > Suppose we have one 1 regionserver and only 1 user region REGION-A on this > server, _acl_ region was on another regionserver. _acl_ was opened a few > seconds before REGION-A. > The global authorization data read from Zookeeper was overwritten by the data > read from configuration. > {code} > private TableAuthManager(ZooKeeperWatcher watcher, Configuration conf) > throws IOException { > this.conf = conf; > this.zkperms = new ZKPermissionWatcher(watcher, this, conf); > try { > // Read global authorization data from zookeeper. > this.zkperms.start(); > } catch (KeeperException ke) { > LOG.error("ZooKeeper initialization failed", ke); > } > // It will overwrite globalCache. > // initialize global permissions based on configuration > globalCache = initGlobal(conf); > } > {code} > This issue can be easily reproduced by below steps: > 1. Start a cluster with 3 regionservers. > 2. Create a new table T1. > 3. grant a new user USER-A with global authorization. > 4. Kill 1 regionserver RS3 and switch balance off. > 5. Start regionserver RS3. > 6. Assign region T1 to RS3. > 7. Put data with user USER-A. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira