[jira] [Updated] (HBASE-27035) failed to set file permission when node crash
[ https://issues.apache.org/jira/browse/HBASE-27035?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-27035: -- Description: in SecureBulkLoadManager#secureBulkLoadHFiles, we have code like that: {code:java} for(Pair el: familyPaths) { Path stageFamily = new Path(bulkToken, Bytes.toString(el.getFirst())); if(!fs.exists(stageFamily)) { fs.mkdirs(stageFamily); fs.setPermission(stageFamily, PERM_ALL_ACCESS); } } {code} if process crashbefore setpermission, and reboot, we can't setpermission again. we should make this code like SnapshotScannerHDFSAclHelper#setCommonDirectoryPermission {code:java} for (Path path : paths) { createDirIfNotExist(path); fs.setPermission(path, new FsPermission( conf.get(COMMON_DIRECTORY_PERMISSION, COMMON_DIRECTORY_PERMISSION_DEFAULT))) } {code} was: in SecureBulkLoadManager#secureBulkLoadHFiles, we have code like that: {code:java} for(Pair el: familyPaths) { Path stageFamily = new Path(bulkToken, Bytes.toString(el.getFirst())); if(!fs.exists(stageFamily)) { fs.mkdirs(stageFamily); fs.setPermission(stageFamily, PERM_ALL_ACCESS); } } {code} if process crashbefore setpermission, and reboot, we can't setpermission again. we should make this code like SnapshotScannerHDFSAclHelper#setCommonDirectoryPermission {code:java} for (Path path : paths) { createDirIfNotExist(path); fs.setPermission(path, new FsPermission( conf.get(COMMON_DIRECTORY_PERMISSION, COMMON_DIRECTORY_PERMISSION_DEFAULT))); } {code} > failed to set file permission when node crash > -- > > Key: HBASE-27035 > URL: https://issues.apache.org/jira/browse/HBASE-27035 > Project: HBase > Issue Type: Bug >Reporter: lujie >Priority: Major > > in SecureBulkLoadManager#secureBulkLoadHFiles, we have code like that: > {code:java} > for(Pair el: familyPaths) { > Path stageFamily = new Path(bulkToken, > Bytes.toString(el.getFirst())); > if(!fs.exists(stageFamily)) { > fs.mkdirs(stageFamily); > fs.setPermission(stageFamily, PERM_ALL_ACCESS); > } > } {code} > if process crashbefore setpermission, and reboot, we can't setpermission > again. > > we should make this code like > SnapshotScannerHDFSAclHelper#setCommonDirectoryPermission > > {code:java} > for (Path path : paths) { > createDirIfNotExist(path); > fs.setPermission(path, new FsPermission( > conf.get(COMMON_DIRECTORY_PERMISSION, > COMMON_DIRECTORY_PERMISSION_DEFAULT))) > } {code} > > > > > > > > -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Created] (HBASE-27035) failed to set file permission when node crash
lujie created HBASE-27035: - Summary: failed to set file permission when node crash Key: HBASE-27035 URL: https://issues.apache.org/jira/browse/HBASE-27035 Project: HBase Issue Type: Bug Reporter: lujie in SecureBulkLoadManager#secureBulkLoadHFiles, we have code like that: {code:java} for(Pair el: familyPaths) { Path stageFamily = new Path(bulkToken, Bytes.toString(el.getFirst())); if(!fs.exists(stageFamily)) { fs.mkdirs(stageFamily); fs.setPermission(stageFamily, PERM_ALL_ACCESS); } } {code} if process crashbefore setpermission, and reboot, we can't setpermission again. we should make this code like SnapshotScannerHDFSAclHelper#setCommonDirectoryPermission {code:java} for (Path path : paths) { createDirIfNotExist(path); fs.setPermission(path, new FsPermission( conf.get(COMMON_DIRECTORY_PERMISSION, COMMON_DIRECTORY_PERMISSION_DEFAULT))); } {code} -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Updated] (HBASE-25892) 'False' should be 'True' in auditlog of listLabels
[ https://issues.apache.org/jira/browse/HBASE-25892?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25892: -- Description: In method `listLabels` at line 932, it should be {code:java} logResult(true, "listLabels", "Listing labels allowed", null, null, regex);{code} instead of {code:java} logResult(false, "listLabels", "Listing labels allowed", null, null, regex); {code} as listLabels is executed normally. was: In method `listLabels` at line 932, it should be {code:java} logResult(true, "listLabels", "Listing labels allowed", null, null, regex);{code} instead of {code:java} logResult(false, "listLabels", "Listing labels allowed", null, null, regex); {code} as listLabels are executed normally. > 'False' should be 'True' in auditlog of listLabels > -- > > Key: HBASE-25892 > URL: https://issues.apache.org/jira/browse/HBASE-25892 > Project: HBase > Issue Type: Bug >Reporter: xiqing >Priority: Major > > In method `listLabels` at line 932, it should be > {code:java} > logResult(true, "listLabels", "Listing labels allowed", null, null, > regex);{code} > instead of > {code:java} > logResult(false, "listLabels", "Listing labels allowed", null, null, regex); > {code} > as listLabels is executed normally. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25892) 'False' should be 'True' in auditlog of listLabels
[ https://issues.apache.org/jira/browse/HBASE-25892?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25892: -- Description: In method `listLabels` at line 932, it should be {code:java} logResult(true, "listLabels", "Listing labels allowed", null, null, regex);{code} instead of {code:java} logResult(false, "listLabels", "Listing labels allowed", null, null, regex); {code} as listLabels are executed normally. was: In method `listLabels`, it should be {code:java} logResult(true, "listLabels", "Listing labels allowed", null, null, regex); {code} > 'False' should be 'True' in auditlog of listLabels > -- > > Key: HBASE-25892 > URL: https://issues.apache.org/jira/browse/HBASE-25892 > Project: HBase > Issue Type: Bug >Reporter: xiqing >Priority: Major > > In method `listLabels` at line 932, it should be > {code:java} > logResult(true, "listLabels", "Listing labels allowed", null, null, > regex);{code} > instead of > {code:java} > logResult(false, "listLabels", "Listing labels allowed", null, null, regex); > {code} > as listLabels are executed normally. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (HBASE-25892) 'False' should be 'True' in auditlog of listLabels
[ https://issues.apache.org/jira/browse/HBASE-25892?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17346129#comment-17346129 ] lujie commented on HBASE-25892: --- I think this will confuse the Administrator as the logs show that legal users always failed to listLabels:( > 'False' should be 'True' in auditlog of listLabels > -- > > Key: HBASE-25892 > URL: https://issues.apache.org/jira/browse/HBASE-25892 > Project: HBase > Issue Type: Bug >Reporter: xiqing >Priority: Major > > In method `listLabels`, it should be > {code:java} > logResult(true, "listLabels", "Listing labels allowed", null, null, regex); > {code} -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25877) Add access check for compactionSwitch
[ https://issues.apache.org/jira/browse/HBASE-25877?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25877: -- Summary: Add access check for compactionSwitch (was: Add access check for switchCompaction) > Add access check for compactionSwitch > -- > > Key: HBASE-25877 > URL: https://issues.apache.org/jira/browse/HBASE-25877 > Project: HBase > Issue Type: Bug >Reporter: lujie >Assignee: lujie >Priority: Major > > Should we add access check for > org.apache.hadoop.hbase.regionserver.RSRpcServices#compactionSwitch > > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25877) Add access check for switchCompaction
[ https://issues.apache.org/jira/browse/HBASE-25877?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25877: -- Summary: Add access check for switchCompaction (was: Add access check for switchCompaction and compactRegion ) > Add access check for switchCompaction > -- > > Key: HBASE-25877 > URL: https://issues.apache.org/jira/browse/HBASE-25877 > Project: HBase > Issue Type: Bug >Reporter: lujie >Assignee: lujie >Priority: Major > > Should we add access check for > org.apache.hadoop.hbase.regionserver.RSRpcServices#compactionSwitch and > compactRegion? > > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25877) Add access check for switchCompaction
[ https://issues.apache.org/jira/browse/HBASE-25877?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25877: -- Description: Should we add access check for org.apache.hadoop.hbase.regionserver.RSRpcServices#compactionSwitch was: Should we add access check for org.apache.hadoop.hbase.regionserver.RSRpcServices#compactionSwitch and compactRegion? > Add access check for switchCompaction > -- > > Key: HBASE-25877 > URL: https://issues.apache.org/jira/browse/HBASE-25877 > Project: HBase > Issue Type: Bug >Reporter: lujie >Assignee: lujie >Priority: Major > > Should we add access check for > org.apache.hadoop.hbase.regionserver.RSRpcServices#compactionSwitch > > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25877) Add access check for switchCompaction
[ https://issues.apache.org/jira/browse/HBASE-25877?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25877: -- Description: Should we add access check for org.apache.hadoop.hbase.regionserver.RSRpcServices#compactionSwitch and compactRegion? was: Should we add access check for org.apache.hadoop.hbase.regionserver.RSRpcServices#compactionSwitch? Please also check compactRegion, > Add access check for switchCompaction > -- > > Key: HBASE-25877 > URL: https://issues.apache.org/jira/browse/HBASE-25877 > Project: HBase > Issue Type: Bug >Reporter: lujie >Assignee: lujie >Priority: Major > > Should we add access check for > org.apache.hadoop.hbase.regionserver.RSRpcServices#compactionSwitch and > compactRegion? > > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25877) Add access check for switchCompaction and compactRegion
[ https://issues.apache.org/jira/browse/HBASE-25877?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25877: -- Summary: Add access check for switchCompaction and compactRegion (was: Add access check for switchCompaction) > Add access check for switchCompaction and compactRegion > - > > Key: HBASE-25877 > URL: https://issues.apache.org/jira/browse/HBASE-25877 > Project: HBase > Issue Type: Bug >Reporter: lujie >Assignee: lujie >Priority: Major > > Should we add access check for > org.apache.hadoop.hbase.regionserver.RSRpcServices#compactionSwitch and > compactRegion? > > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25877) Add access check for switchCompaction
[ https://issues.apache.org/jira/browse/HBASE-25877?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25877: -- Description: Should we add access check for org.apache.hadoop.hbase.regionserver.RSRpcServices#compactionSwitch? Please also check compactRegion, was:Should we add access check for org.apache.hadoop.hbase.regionserver.CompactSplit.switchCompaction? > Add access check for switchCompaction > -- > > Key: HBASE-25877 > URL: https://issues.apache.org/jira/browse/HBASE-25877 > Project: HBase > Issue Type: Bug >Reporter: lujie >Assignee: lujie >Priority: Major > > Should we add access check for > org.apache.hadoop.hbase.regionserver.RSRpcServices#compactionSwitch? > Please also check compactRegion, -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Assigned] (HBASE-25877) Add access check for switchCompaction
[ https://issues.apache.org/jira/browse/HBASE-25877?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie reassigned HBASE-25877: - Assignee: lujie > Add access check for switchCompaction > -- > > Key: HBASE-25877 > URL: https://issues.apache.org/jira/browse/HBASE-25877 > Project: HBase > Issue Type: Bug >Reporter: lujie >Assignee: lujie >Priority: Major > > Should we add access check for > org.apache.hadoop.hbase.regionserver.CompactSplit.switchCompaction? -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (HBASE-25877) Add access check for switchCompaction
lujie created HBASE-25877: - Summary: Add access check for switchCompaction Key: HBASE-25877 URL: https://issues.apache.org/jira/browse/HBASE-25877 Project: HBase Issue Type: Bug Reporter: lujie Should we add access check for org.apache.hadoop.hbase.regionserver.CompactSplit.switchCompaction? -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25558) Adding audit log for execMasterService
[ https://issues.apache.org/jira/browse/HBASE-25558?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25558: -- Description: Hi: I have found that in APIs, like execProcedure and execProcedureWithRet, have audit log to record who execute the master service. The log can be like: {code:java} LOG.info(master.getClientIdAuditPrefix() + " procedure request for: " + desc.getSignature()); {code} But it seems that we forget to audit execMasterService. We should add one. was:Aa > Adding audit log for execMasterService > -- > > Key: HBASE-25558 > URL: https://issues.apache.org/jira/browse/HBASE-25558 > Project: HBase > Issue Type: Improvement >Reporter: lujie >Assignee: lujie >Priority: Major > > Hi: > I have found that in APIs, like execProcedure and execProcedureWithRet, have > audit log to record who execute the master service. The log can be like: > {code:java} > LOG.info(master.getClientIdAuditPrefix() + " procedure request for: " + > desc.getSignature()); > {code} > But it seems that we forget to audit execMasterService. We should add one. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25558) Adding audit log for execMasterService
[ https://issues.apache.org/jira/browse/HBASE-25558?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25558: -- Description: Aa (was: I think we should add audit log for execMasterService, like execProcedure) > Adding audit log for execMasterService > -- > > Key: HBASE-25558 > URL: https://issues.apache.org/jira/browse/HBASE-25558 > Project: HBase > Issue Type: Improvement >Reporter: lujie >Assignee: lujie >Priority: Major > > Aa -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Assigned] (HBASE-25558) Adding audit log for execMasterService
[ https://issues.apache.org/jira/browse/HBASE-25558?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie reassigned HBASE-25558: - Assignee: lujie > Adding audit log for execMasterService > -- > > Key: HBASE-25558 > URL: https://issues.apache.org/jira/browse/HBASE-25558 > Project: HBase > Issue Type: Improvement >Reporter: lujie >Assignee: lujie >Priority: Major > > I think we should add audit log for execMasterService, like execProcedure -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25558) Adding audit log for execMasterService
[ https://issues.apache.org/jira/browse/HBASE-25558?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25558: -- Issue Type: Improvement (was: Bug) > Adding audit log for execMasterService > -- > > Key: HBASE-25558 > URL: https://issues.apache.org/jira/browse/HBASE-25558 > Project: HBase > Issue Type: Improvement >Reporter: lujie >Priority: Major > > I think we should add audit log for execMasterService, like execProcedure -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25558) Adding audit log for execMasterService
[ https://issues.apache.org/jira/browse/HBASE-25558?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25558: -- Description: I think we should add audit log for execMasterService, like execProcedure (was: It seem that we need add audit log for execMasterService, like execProcedure) > Adding audit log for execMasterService > -- > > Key: HBASE-25558 > URL: https://issues.apache.org/jira/browse/HBASE-25558 > Project: HBase > Issue Type: Bug >Reporter: lujie >Priority: Major > > I think we should add audit log for execMasterService, like execProcedure -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25558) Adding audit log for execMasterService
[ https://issues.apache.org/jira/browse/HBASE-25558?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25558: -- Description: It seem that we need add audit log for execMasterService, like execProcedure > Adding audit log for execMasterService > -- > > Key: HBASE-25558 > URL: https://issues.apache.org/jira/browse/HBASE-25558 > Project: HBase > Issue Type: Bug >Reporter: lujie >Priority: Major > > It seem that we need add audit log for execMasterService, like execProcedure -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (HBASE-25558) Adding audit log for execMasterService
lujie created HBASE-25558: - Summary: Adding audit log for execMasterService Key: HBASE-25558 URL: https://issues.apache.org/jira/browse/HBASE-25558 Project: HBase Issue Type: Bug Reporter: lujie -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25456) setRegionStateInMeta need security check
[ https://issues.apache.org/jira/browse/HBASE-25456?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25456: -- Release Note: setRegionStateInMeta can be accessed only through Admin rights > setRegionStateInMeta need security check > > > Key: HBASE-25456 > URL: https://issues.apache.org/jira/browse/HBASE-25456 > Project: HBase > Issue Type: Bug >Reporter: lujie >Assignee: lujie >Priority: Critical > Fix For: 3.0.0-alpha-1, 2.3.4, 2.5.0, 2.4.1 > > > [Viraj > Jasani|https://issues.apache.org/jira/secure/ViewProfile.jspa?name=vjasani] > it seems that we miss setRegionStateInMeta -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25432) we should add security checks for setTableStateInMeta and fixMeta
[ https://issues.apache.org/jira/browse/HBASE-25432?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25432: -- Release Note: setTableStateInMeta and fixMeta can be accessed only through Admin rights > we should add security checks for setTableStateInMeta and fixMeta > - > > Key: HBASE-25432 > URL: https://issues.apache.org/jira/browse/HBASE-25432 > Project: HBase > Issue Type: Bug >Reporter: lujie >Assignee: lujie >Priority: Blocker > Fix For: 3.0.0-alpha-1, 1.7.0, 2.3.4, 2.5.0, 2.4.1 > > Attachments: HBASE-25432_1.patch > > > setTableStateInMeta and fixMeta can be accessed only through Admin rights -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25432) we should add security checks for setTableStateInMeta and fixMeta
[ https://issues.apache.org/jira/browse/HBASE-25432?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25432: -- Description: setTableStateInMeta and fixMeta can be accessed only through Admin rights > we should add security checks for setTableStateInMeta and fixMeta > - > > Key: HBASE-25432 > URL: https://issues.apache.org/jira/browse/HBASE-25432 > Project: HBase > Issue Type: Bug >Reporter: lujie >Assignee: lujie >Priority: Blocker > Fix For: 3.0.0-alpha-1, 1.7.0, 2.3.4, 2.5.0, 2.4.1 > > Attachments: HBASE-25432_1.patch > > > setTableStateInMeta and fixMeta can be accessed only through Admin rights -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25456) setRegionStateInMeta need security check
[ https://issues.apache.org/jira/browse/HBASE-25456?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25456: -- Priority: Critical (was: Major) > setRegionStateInMeta need security check > > > Key: HBASE-25456 > URL: https://issues.apache.org/jira/browse/HBASE-25456 > Project: HBase > Issue Type: Bug >Reporter: lujie >Assignee: lujie >Priority: Critical > > [Viraj > Jasani|https://issues.apache.org/jira/secure/ViewProfile.jspa?name=vjasani] > it seems that we miss setRegionStateInMeta -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Resolved] (HBASE-25422) update_all_config should not be executed by non-admin user!!!
[ https://issues.apache.org/jira/browse/HBASE-25422?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie resolved HBASE-25422. --- Resolution: Duplicate > update_all_config should not be executed by non-admin user!!! > - > > Key: HBASE-25422 > URL: https://issues.apache.org/jira/browse/HBASE-25422 > Project: HBase > Issue Type: Bug >Reporter: lujie >Priority: Critical > Attachments: image-2020-12-20-12-50-23-433.png > > > !image-2020-12-20-12-50-23-433.png! -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25456) setRegionStateInMeta need security check
[ https://issues.apache.org/jira/browse/HBASE-25456?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25456: -- Description: [Viraj Jasani|https://issues.apache.org/jira/secure/ViewProfile.jspa?name=vjasani] it seems that we miss setRegionStateInMeta (was: [Viraj Jasani|https://issues.apache.org/jira/secure/ViewProfile.jspa?name=vjasani] it seems that we miss ) > setRegionStateInMeta need security check > > > Key: HBASE-25456 > URL: https://issues.apache.org/jira/browse/HBASE-25456 > Project: HBase > Issue Type: Bug >Reporter: lujie >Assignee: lujie >Priority: Major > > [Viraj > Jasani|https://issues.apache.org/jira/secure/ViewProfile.jspa?name=vjasani] > it seems that we miss setRegionStateInMeta -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25456) setRegionStateInMeta need security check
[ https://issues.apache.org/jira/browse/HBASE-25456?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25456: -- Description: [Viraj Jasani|https://issues.apache.org/jira/secure/ViewProfile.jspa?name=vjasani] it seems that we miss (was: @) > setRegionStateInMeta need security check > > > Key: HBASE-25456 > URL: https://issues.apache.org/jira/browse/HBASE-25456 > Project: HBase > Issue Type: Bug >Reporter: lujie >Assignee: lujie >Priority: Major > > [Viraj > Jasani|https://issues.apache.org/jira/secure/ViewProfile.jspa?name=vjasani] > it seems that we miss -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25456) setRegionStateInMeta need security check
[ https://issues.apache.org/jira/browse/HBASE-25456?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25456: -- Description: @ > setRegionStateInMeta need security check > > > Key: HBASE-25456 > URL: https://issues.apache.org/jira/browse/HBASE-25456 > Project: HBase > Issue Type: Bug >Reporter: lujie >Assignee: lujie >Priority: Major > > @ -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (HBASE-25456) setRegionStateInMeta need security check
lujie created HBASE-25456: - Summary: setRegionStateInMeta need security check Key: HBASE-25456 URL: https://issues.apache.org/jira/browse/HBASE-25456 Project: HBase Issue Type: Bug Reporter: lujie Assignee: lujie -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25441) add security check for some APIs in RSRpcServices
[ https://issues.apache.org/jira/browse/HBASE-25441?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25441: -- Description: ||API||Severity||symptom|| |clearRegionBlockCache|Severe|The API will call LruBlockCache.evictBlocksByHfileName, who is declared as an expensive operation(see its comments), thus non-amin may result Dos| |clearSlowLogsResponses|Normal|clears queue records from ringbuffer| |updateConfiguration|Normal|non-admin user can make RS reload configutation from disk by this API. | |updateRegionFavoredNodesMapping|Normal|Non-admin user can change the region's best storage location by this api| |stopServer|low|stopServer on RS is slient, which make client think he/she success shutdown RS. Add preRpcCheck ont only make client receive the failed message, but also prevent the non-admin user stop the RS, even the hbase.coprocessor.regionserver.classes are not configured.| was: ||API||Severity||symptom|| |clearRegionBlockCache|Severe|The API will call LruBlockCache.evictBlocksByHfileName, who is declared as an expensive operation(see its comments), thus non-amin may result Dos| |clearSlowLogsResponses|Normal|clears queue records from ringbuffer| |updateConfiguration|Normal|non-admin user can make RS reload configutation from disk by this API. Only admin should be allowed to reconfig a cluster(see ZOOKEEPER-2014| |updateRegionFavoredNodesMapping|Normal|Non-admin user can change the region's best storage location by this api| |stopServer|low|stopServer on RS is slient, which make client think he/she success shutdown RS. Add preRpcCheck ont only make client receive the failed message, but also prevent the non-admin user stop the RS, even the hbase.coprocessor.regionserver.classes are not configured.| > add security check for some APIs in RSRpcServices > - > > Key: HBASE-25441 > URL: https://issues.apache.org/jira/browse/HBASE-25441 > Project: HBase > Issue Type: Bug >Reporter: lujie >Priority: Critical > > > ||API||Severity||symptom|| > |clearRegionBlockCache|Severe|The API will call > LruBlockCache.evictBlocksByHfileName, > who is declared as an expensive operation(see its comments), thus non-amin > may result Dos| > |clearSlowLogsResponses|Normal|clears queue records from ringbuffer| > |updateConfiguration|Normal|non-admin user can make RS reload configutation > from disk by this API. | > |updateRegionFavoredNodesMapping|Normal|Non-admin user can change the > region's best storage location by this api| > |stopServer|low|stopServer on RS is slient, which make client think he/she > success shutdown RS. > Add preRpcCheck ont only make client receive the failed message, > but also prevent the non-admin user stop the RS, > even the hbase.coprocessor.regionserver.classes are not configured.| > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25441) add security check for some APIs in RSRpcServices
[ https://issues.apache.org/jira/browse/HBASE-25441?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25441: -- Description: ||API||Severity||symptom|| |clearRegionBlockCache|Severe|The API will call LruBlockCache.evictBlocksByHfileName, who is declared as an expensive operation(see its comments), thus non-amin may result Dos| |clearSlowLogsResponses|Normal|clears queue records from ringbuffer| |updateConfiguration|Normal|non-admin user can make RS reload configutation from disk by this API. Only admin should be allowed to reconfig a cluster(see ZOOKEEPER-2014| |updateRegionFavoredNodesMapping|Normal|Non-admin user can change the region's best storage location by this api| |stopServer|low|stopServer on RS is slient, which make client think he/she success shutdown RS. Add preRpcCheck ont only make client receive the failed message, but also prevent the non-admin user stop the RS, even the hbase.coprocessor.regionserver.classes are not configured.| was: ||API||Severity||symptom|| |clearRegionBlockCache|Severe|The API will call LruBlockCache.evictBlocksByHfileName, who is declared as an expensive operation(see its comments), thus non-amin may result Dos| |clearSlowLogsResponses|Normal|clears queue records from ringbuffer| |updateConfiguration|Normal|non-admin user can make RS reload configutation from disk by this API| |updateRegionFavoredNodesMapping|Normal|Non-admin user can change the region's best storage location by this api| |stopServer|low|stopServer on RS is slient, which make client think he/she success shutdown RS. Add preRpcCheck ont only make client receive the failed message, but also prevent the non-admin user stop the RS, even the hbase.coprocessor.regionserver.classes are not configured.| > add security check for some APIs in RSRpcServices > - > > Key: HBASE-25441 > URL: https://issues.apache.org/jira/browse/HBASE-25441 > Project: HBase > Issue Type: Bug >Reporter: lujie >Priority: Critical > > > ||API||Severity||symptom|| > |clearRegionBlockCache|Severe|The API will call > LruBlockCache.evictBlocksByHfileName, > who is declared as an expensive operation(see its comments), thus non-amin > may result Dos| > |clearSlowLogsResponses|Normal|clears queue records from ringbuffer| > |updateConfiguration|Normal|non-admin user can make RS reload configutation > from disk by this API. Only admin should be allowed to reconfig a cluster(see > ZOOKEEPER-2014| > |updateRegionFavoredNodesMapping|Normal|Non-admin user can change the > region's best storage location by this api| > |stopServer|low|stopServer on RS is slient, which make client think he/she > success shutdown RS. > Add preRpcCheck ont only make client receive the failed message, > but also prevent the non-admin user stop the RS, > even the hbase.coprocessor.regionserver.classes are not configured.| > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25441) add security check for some APIs in RSRpcServices
[ https://issues.apache.org/jira/browse/HBASE-25441?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25441: -- Description: ||API||Severity||symptom|| |clearRegionBlockCache|Severe|The API will call LruBlockCache.evictBlocksByHfileName, who is declared as an expensive operation(see its comments), thus non-amin may result Dos| |clearSlowLogsResponses|Normal|clears queue records from ringbuffer| |updateConfiguration|Normal|non-admin user can make RS reload configutation from disk by this API| |updateRegionFavoredNodesMapping|Normal|Non-admin user can change the region's best storage location by this api| |stopServer|low|stopServer on RS is slient, which make client think he/she success shutdown RS. Add preRpcCheck ont only make client receive the failed message, but also prevent the non-admin user stop the RS, even the hbase.coprocessor.regionserver.classes are not configured.| was: ||API||Severity||symptom|| |clearRegionBlockCache|Severe|The API will call LruBlockCache.evictBlocksByHfileName, who is declared as an expensive operation(see its comments), thus non-amin may result Dos| > add security check for some APIs in RSRpcServices > - > > Key: HBASE-25441 > URL: https://issues.apache.org/jira/browse/HBASE-25441 > Project: HBase > Issue Type: Bug >Reporter: lujie >Priority: Critical > > > ||API||Severity||symptom|| > |clearRegionBlockCache|Severe|The API will call > LruBlockCache.evictBlocksByHfileName, who is declared as an expensive > operation(see its comments), thus non-amin may result Dos| > |clearSlowLogsResponses|Normal|clears queue records from ringbuffer| > |updateConfiguration|Normal|non-admin user can make RS reload configutation > from disk by this API| > |updateRegionFavoredNodesMapping|Normal|Non-admin user can change the > region's best storage location by this api| > |stopServer|low|stopServer on RS is slient, which make client think he/she > success shutdown RS. Add preRpcCheck ont only make client receive the failed > message, but also prevent the non-admin user stop the RS, even the > hbase.coprocessor.regionserver.classes are not configured.| > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25441) add security check for some APIs in RSRpcServices
[ https://issues.apache.org/jira/browse/HBASE-25441?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25441: -- Description: ||API||Severity||symptom|| |clearRegionBlockCache|Severe|The API will call LruBlockCache.evictBlocksByHfileName, who is declared as an expensive operation(see its comments), thus non-amin may result Dos| |clearSlowLogsResponses|Normal|clears queue records from ringbuffer| |updateConfiguration|Normal|non-admin user can make RS reload configutation from disk by this API| |updateRegionFavoredNodesMapping|Normal|Non-admin user can change the region's best storage location by this api| |stopServer|low|stopServer on RS is slient, which make client think he/she success shutdown RS. Add preRpcCheck ont only make client receive the failed message, but also prevent the non-admin user stop the RS, even the hbase.coprocessor.regionserver.classes are not configured.| was: ||API||Severity||symptom|| |clearRegionBlockCache|Severe|The API will call LruBlockCache.evictBlocksByHfileName, who is declared as an expensive operation(see its comments), thus non-amin may result Dos| |clearSlowLogsResponses|Normal|clears queue records from ringbuffer| |updateConfiguration|Normal|non-admin user can make RS reload configutation from disk by this API| |updateRegionFavoredNodesMapping|Normal|Non-admin user can change the region's best storage location by this api| |stopServer|low|stopServer on RS is slient, which make client think he/she success shutdown RS. Add preRpcCheck ont only make client receive the failed message, but also prevent the non-admin user stop the RS, even the hbase.coprocessor.regionserver.classes are not configured.| > add security check for some APIs in RSRpcServices > - > > Key: HBASE-25441 > URL: https://issues.apache.org/jira/browse/HBASE-25441 > Project: HBase > Issue Type: Bug >Reporter: lujie >Priority: Critical > > > ||API||Severity||symptom|| > |clearRegionBlockCache|Severe|The API will call > LruBlockCache.evictBlocksByHfileName, > who is declared as an expensive operation(see its comments), thus non-amin > may result Dos| > |clearSlowLogsResponses|Normal|clears queue records from ringbuffer| > |updateConfiguration|Normal|non-admin user can make RS reload configutation > from disk by this API| > |updateRegionFavoredNodesMapping|Normal|Non-admin user can change the > region's best storage location by this api| > |stopServer|low|stopServer on RS is slient, which make client think he/she > success shutdown RS. > Add preRpcCheck ont only make client receive the failed message, > but also prevent the non-admin user stop the RS, > even the hbase.coprocessor.regionserver.classes are not configured.| > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25441) add security check for some APIs in RSRpcServices
[ https://issues.apache.org/jira/browse/HBASE-25441?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25441: -- Description: ||API||Severity||symptom|| |clearRegionBlockCache|Severe|The API will call LruBlockCache.evictBlocksByHfileName, who is declared as an expensive operation(see its comments), thus non-amin may result Dos| was: clearSlowLogsResponses clearRegionBlockCache updateConfiguration updateRegionFavoredNodesMapping > add security check for some APIs in RSRpcServices > - > > Key: HBASE-25441 > URL: https://issues.apache.org/jira/browse/HBASE-25441 > Project: HBase > Issue Type: Bug >Reporter: lujie >Priority: Critical > > > ||API||Severity||symptom|| > |clearRegionBlockCache|Severe|The API will call > LruBlockCache.evictBlocksByHfileName, who is declared as an expensive > operation(see its comments), thus non-amin may result Dos| > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25441) add security check for some APIs in RSRpcServices
[ https://issues.apache.org/jira/browse/HBASE-25441?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25441: -- Description: clearSlowLogsResponses clearRegionBlockCache updateConfiguration updateRegionFavoredNodesMapping was: clearSlowLogsResponses clearRegionBlockCache updateConfiguration > add security check for some APIs in RSRpcServices > - > > Key: HBASE-25441 > URL: https://issues.apache.org/jira/browse/HBASE-25441 > Project: HBase > Issue Type: Bug >Reporter: lujie >Priority: Critical > > clearSlowLogsResponses > clearRegionBlockCache > updateConfiguration > updateRegionFavoredNodesMapping -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25441) add security check for some APIs in RSRpcServices
[ https://issues.apache.org/jira/browse/HBASE-25441?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25441: -- Description: clearSlowLogsResponses clearRegionBlockCache updateConfiguration was: clearSlowLogsResponses clearRegionBlockCache > add security check for some APIs in RSRpcServices > - > > Key: HBASE-25441 > URL: https://issues.apache.org/jira/browse/HBASE-25441 > Project: HBase > Issue Type: Bug >Reporter: lujie >Priority: Critical > > clearSlowLogsResponses > clearRegionBlockCache > updateConfiguration -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25441) add security check for some APIs in RSRpcServices
[ https://issues.apache.org/jira/browse/HBASE-25441?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25441: -- Description: clearSlowLogsResponses clearRegionBlockCache was: getLogEntries clearSlowLogsResponses stopServer Actually, "stopServer" has "preStop" check in its callee "stop", but "stop" will not throw any exception due to below code: {code:java} catch (IOException ioe) { if (!force) { LOG.warn("The region server did not stop", ioe); return; } LOG.warn("Skipping coprocessor exception on preStop() due to forced shutdown", ioe); } {code} So client who call stopServer will not know whether his request is successful or not.Make "stop" throw exception will make a large number of code change, Here we add rpcPreCheck("stopServer") tomake client clearly see the message: ERROR RuntimeError: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user 'user1' (global, action=ADMIN) > add security check for some APIs in RSRpcServices > - > > Key: HBASE-25441 > URL: https://issues.apache.org/jira/browse/HBASE-25441 > Project: HBase > Issue Type: Bug >Reporter: lujie >Priority: Critical > > clearSlowLogsResponses > clearRegionBlockCache -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25441) add security check for some APIs in RSRpcServices
[ https://issues.apache.org/jira/browse/HBASE-25441?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25441: -- Description: getLogEntries clearSlowLogsResponses stopServer Actually, "stopServer" has "preStop" check in its callee "stop", but "stop" will not throw any exception due to below code: {code:java} catch (IOException ioe) { if (!force) { LOG.warn("The region server did not stop", ioe); return; } LOG.warn("Skipping coprocessor exception on preStop() due to forced shutdown", ioe); } {code} So client who call stopServer will not know whether his request is successful or not.Make "stop" throw exception will make a large number of code change, Here we add rpcPreCheck("stopServer") tomake client clearly see the message: ERROR RuntimeError: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user 'user1' (global, action=ADMIN) was: getLogEntries clearSlowLogsResponses stopServer Actually, "stopServer" has "preStop" check in its callee "stop", but "stop" will not throw any exception due to below code: {code:java} catch (IOException ioe) { if (!force) { LOG.warn("The region server did not stop", ioe); return; } LOG.warn("Skipping coprocessor exception on preStop() due to forced shutdown", ioe); } {code} So client who call stopServer will not know whether his request is successful or not.Make "stop" throw exception will make a large number of code change, Here we add rpcPreCheck("stopServer"); can make client clearly see the message: ERROR RuntimeError: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user 'user1' (global, action=ADMIN) > add security check for some APIs in RSRpcServices > - > > Key: HBASE-25441 > URL: https://issues.apache.org/jira/browse/HBASE-25441 > Project: HBase > Issue Type: Bug >Reporter: lujie >Priority: Critical > > getLogEntries > clearSlowLogsResponses > stopServer > > Actually, "stopServer" has "preStop" check in its callee "stop", but "stop" > will not throw any exception due to below code: > {code:java} > catch (IOException ioe) { > if (!force) { > LOG.warn("The region server did not stop", ioe); > return; > } > LOG.warn("Skipping coprocessor exception on preStop() due to forced > shutdown", ioe); > } > {code} > So client who call stopServer will not know whether his request is successful > or not.Make "stop" throw exception will make a large number of code change, > Here we add rpcPreCheck("stopServer") tomake client clearly see the message: > ERROR RuntimeError: org.apache.hadoop.hbase.security.AccessDeniedException: > Insufficient permissions for user 'user1' (global, action=ADMIN) -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25441) add security check for some APIs in RSRpcServices
[ https://issues.apache.org/jira/browse/HBASE-25441?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25441: -- Description: getLogEntries clearSlowLogsResponses stopServer Actually, "stopServer" has "preStop" check in its callee "stop", but "stop" will not throw any exception due to below code: {code:java} catch (IOException ioe) { if (!force) { LOG.warn("The region server did not stop", ioe); return; } LOG.warn("Skipping coprocessor exception on preStop() due to forced shutdown", ioe); } {code} So client who call stopServer will not know whether his request is successful or not.Make "stop" throw exception will make a large number of code change, Here we add rpcPreCheck("stopServer"); can make client clearly see the message: ERROR RuntimeError: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user 'user1' (global, action=ADMIN) was: getLogEntries clearSlowLogsResponses stopServer Actually, "stopServer" has "preStop" check in its callee "stop", but "stop" will not throw any exception due to below code: {code:java} catch (IOException ioe) { if (!force) { LOG.warn("The region server did not stop", ioe); return; } LOG.warn("Skipping coprocessor exception on preStop() due to forced shutdown", ioe); } {code} So client who call stopServer will not know whether his request is successful or not. Here we add rpcPreCheck("stopServer"); can make client clearly see the message: ERROR RuntimeError: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user 'user1' (global, action=ADMIN) > add security check for some APIs in RSRpcServices > - > > Key: HBASE-25441 > URL: https://issues.apache.org/jira/browse/HBASE-25441 > Project: HBase > Issue Type: Bug >Reporter: lujie >Priority: Critical > > getLogEntries > clearSlowLogsResponses > stopServer > > Actually, "stopServer" has "preStop" check in its callee "stop", but "stop" > will not throw any exception due to below code: > {code:java} > catch (IOException ioe) { > if (!force) { > LOG.warn("The region server did not stop", ioe); > return; > } > LOG.warn("Skipping coprocessor exception on preStop() due to forced > shutdown", ioe); > } > {code} > So client who call stopServer will not know whether his request is successful > or not.Make "stop" throw exception will make a large number of code change, > Here we add rpcPreCheck("stopServer"); can make client clearly see the > message: > ERROR RuntimeError: org.apache.hadoop.hbase.security.AccessDeniedException: > Insufficient permissions for user 'user1' (global, action=ADMIN) -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25441) add security check for some APIs in RSRpcServices
[ https://issues.apache.org/jira/browse/HBASE-25441?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25441: -- Description: getLogEntries clearSlowLogsResponses stopServer Actually, "stopServer" has "preStop" check in its callee "stop", but "stop" will not throw any exception due to below code: {code:java} catch (IOException ioe) { if (!force) { LOG.warn("The region server did not stop", ioe); return; } LOG.warn("Skipping coprocessor exception on preStop() due to forced shutdown", ioe); } {code} So client who call stopServer will not know whether his request is successful or not. Here we add rpcPreCheck("stopServer"); can make client clearly see the message: ERROR RuntimeError: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user 'user1' (global, action=ADMIN) was: getLogEntries clearSlowLogsResponses stopServer Actually, "stopServer" has "preStop" check in its callee "stop", but "stop" will not throw any exception due to below code: {code:java} catch (IOException ioe) { if (!force) { LOG.warn("The region server did not stop", ioe); return; } LOG.warn("Skipping coprocessor exception on preStop() due to forced shutdown", ioe); } {code} So client who call stopServer will not knwo whether his request is whether it is successful or not. Here we add > add security check for some APIs in RSRpcServices > - > > Key: HBASE-25441 > URL: https://issues.apache.org/jira/browse/HBASE-25441 > Project: HBase > Issue Type: Bug >Reporter: lujie >Priority: Critical > > getLogEntries > clearSlowLogsResponses > stopServer > > Actually, "stopServer" has "preStop" check in its callee "stop", but "stop" > will not throw any exception due to below code: > {code:java} > catch (IOException ioe) { > if (!force) { > LOG.warn("The region server did not stop", ioe); > return; > } > LOG.warn("Skipping coprocessor exception on preStop() due to forced > shutdown", ioe); > } > {code} > So client who call stopServer will not know whether his request is successful > or not. Here we add rpcPreCheck("stopServer"); can make client clearly see > the message: > ERROR RuntimeError: org.apache.hadoop.hbase.security.AccessDeniedException: > Insufficient permissions for user 'user1' (global, action=ADMIN) -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25441) add security check for some APIs in RSRpcServices
[ https://issues.apache.org/jira/browse/HBASE-25441?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25441: -- Description: getLogEntries clearSlowLogsResponses stopServer Actually, "stopServer" has "preStop" check in its callee "stop", but "stop" will not throw any exception due to below code: {code:java} catch (IOException ioe) { if (!force) { LOG.warn("The region server did not stop", ioe); return; } LOG.warn("Skipping coprocessor exception on preStop() due to forced shutdown", ioe); } {code} So client who call stopServer will not knwo whether his request is whether it is successful or not. Here we add was: getLogEntries clearSlowLogsResponses > add security check for some APIs in RSRpcServices > - > > Key: HBASE-25441 > URL: https://issues.apache.org/jira/browse/HBASE-25441 > Project: HBase > Issue Type: Bug >Reporter: lujie >Priority: Critical > > getLogEntries > clearSlowLogsResponses > stopServer > > Actually, "stopServer" has "preStop" check in its callee "stop", but "stop" > will not throw any exception due to below code: > {code:java} > catch (IOException ioe) { > if (!force) { > LOG.warn("The region server did not stop", ioe); > return; > } > LOG.warn("Skipping coprocessor exception on preStop() due to forced > shutdown", ioe); > } > {code} > So client who call stopServer will not knwo whether his request is whether it > is successful or not. Here we add -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25441) add security check for some APIs in RSRpcServices
[ https://issues.apache.org/jira/browse/HBASE-25441?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25441: -- Description: getLogEntries clearSlowLogsResponses was: stopServer getLogEntries clearSlowLogsResponses > add security check for some APIs in RSRpcServices > - > > Key: HBASE-25441 > URL: https://issues.apache.org/jira/browse/HBASE-25441 > Project: HBase > Issue Type: Bug >Reporter: lujie >Priority: Critical > > getLogEntries > clearSlowLogsResponses -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25441) add security check for some APIs in RSRpcServices
[ https://issues.apache.org/jira/browse/HBASE-25441?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25441: -- Description: stopServer getLogEntries clearSlowLogsResponses > add security check for some APIs in RSRpcServices > - > > Key: HBASE-25441 > URL: https://issues.apache.org/jira/browse/HBASE-25441 > Project: HBase > Issue Type: Bug >Reporter: lujie >Priority: Critical > > stopServer > getLogEntries > clearSlowLogsResponses -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25441) add security check for some APIs in RSRpcServices
[ https://issues.apache.org/jira/browse/HBASE-25441?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25441: -- Summary: add security check for some APIs in RSRpcServices (was: Unauthorized client can shutdown the regionserver) > add security check for some APIs in RSRpcServices > - > > Key: HBASE-25441 > URL: https://issues.apache.org/jira/browse/HBASE-25441 > Project: HBase > Issue Type: Bug >Reporter: lujie >Priority: Critical > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25432) we should add security checks for setTableStateInMeta and fixMeta
[ https://issues.apache.org/jira/browse/HBASE-25432?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25432: -- Summary: we should add security checks for setTableStateInMeta and fixMeta (was: we should add security checks for stopServer) > we should add security checks for setTableStateInMeta and fixMeta > - > > Key: HBASE-25432 > URL: https://issues.apache.org/jira/browse/HBASE-25432 > Project: HBase > Issue Type: Bug >Reporter: lujie >Assignee: lujie >Priority: Blocker > Fix For: 3.0.0-alpha-1, 1.7.0, 2.3.4, 2.5.0, 2.4.1 > > Attachments: HBASE-25432_1.patch > > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25441) Unauthorized client can shutdown the regionserver
[ https://issues.apache.org/jira/browse/HBASE-25441?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25441: -- Priority: Critical (was: Blocker) > Unauthorized client can shutdown the regionserver > - > > Key: HBASE-25441 > URL: https://issues.apache.org/jira/browse/HBASE-25441 > Project: HBase > Issue Type: Bug >Reporter: lujie >Priority: Critical > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25432) we should add security checks for stopServer
[ https://issues.apache.org/jira/browse/HBASE-25432?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25432: -- Summary: we should add security checks for stopServer (was: we should add security checks for setTableStateInMeta) > we should add security checks for stopServer > > > Key: HBASE-25432 > URL: https://issues.apache.org/jira/browse/HBASE-25432 > Project: HBase > Issue Type: Bug >Reporter: lujie >Assignee: lujie >Priority: Blocker > Fix For: 3.0.0-alpha-1, 1.7.0, 2.3.4, 2.5.0, 2.4.1 > > Attachments: HBASE-25432_1.patch > > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25441) Unauthorized client can shutdown the regionserver
[ https://issues.apache.org/jira/browse/HBASE-25441?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25441: -- Description: (was: In think all the shutdowncomand should gothrough master, by this we can authorize the user request.) > Unauthorized client can shutdown the regionserver > - > > Key: HBASE-25441 > URL: https://issues.apache.org/jira/browse/HBASE-25441 > Project: HBase > Issue Type: Bug >Reporter: lujie >Priority: Blocker > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25441) Unauthorized client can shutdown the regionserver
[ https://issues.apache.org/jira/browse/HBASE-25441?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25441: -- Description: In think all the shutdowncomand should gothrough master, by this we can authorize the user request. (was: In think all the shutcomand should gothrough master, by this we can authorize the user request.) > Unauthorized client can shutdown the regionserver > - > > Key: HBASE-25441 > URL: https://issues.apache.org/jira/browse/HBASE-25441 > Project: HBase > Issue Type: Bug >Reporter: lujie >Priority: Blocker > > In think all the shutdowncomand should gothrough master, by this we can > authorize the user request. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25441) Unauthorized client can shutdown the regionserver
[ https://issues.apache.org/jira/browse/HBASE-25441?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25441: -- Description: In think all the shutcomand should gothrough master, by this we can authorize the user request. (was: In think all the shutcomand should gothrough master, by this we can ) > Unauthorized client can shutdown the regionserver > - > > Key: HBASE-25441 > URL: https://issues.apache.org/jira/browse/HBASE-25441 > Project: HBase > Issue Type: Bug >Reporter: lujie >Priority: Blocker > > In think all the shutcomand should gothrough master, by this we can > authorize the user request. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25441) Unauthorized client can shutdown the regionserver
[ https://issues.apache.org/jira/browse/HBASE-25441?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25441: -- Description: In think all the shutcomand should gothrough master, by this we can > Unauthorized client can shutdown the regionserver > - > > Key: HBASE-25441 > URL: https://issues.apache.org/jira/browse/HBASE-25441 > Project: HBase > Issue Type: Bug >Reporter: lujie >Priority: Blocker > > In think all the shutcomand should gothrough master, by this we can -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (HBASE-25441) Unauthorized client can shutdown the regionserver
lujie created HBASE-25441: - Summary: Unauthorized client can shutdown the regionserver Key: HBASE-25441 URL: https://issues.apache.org/jira/browse/HBASE-25441 Project: HBase Issue Type: Bug Reporter: lujie -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (HBASE-25432) we should add security checks for setTableStateInMeta
[ https://issues.apache.org/jira/browse/HBASE-25432?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17253966#comment-17253966 ] lujie commented on HBASE-25432: --- [~vjasani] Hi, i have submit a patch, when we try fixMeta or setTableStateInMeta as non-admin, it will generate exception like: {code:java} org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user 'user1' (global, action=ADMIN) {code} > we should add security checks for setTableStateInMeta > - > > Key: HBASE-25432 > URL: https://issues.apache.org/jira/browse/HBASE-25432 > Project: HBase > Issue Type: Bug >Reporter: lujie >Priority: Blocker > Fix For: 3.0.0-alpha-1, 1.7.0, 2.3.4, 2.5.0, 2.4.1 > > Attachments: HBASE-25432_1.patch > > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25432) we should add security checks for setTableStateInMeta
[ https://issues.apache.org/jira/browse/HBASE-25432?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25432: -- Attachment: HBASE-25432_1.patch > we should add security checks for setTableStateInMeta > - > > Key: HBASE-25432 > URL: https://issues.apache.org/jira/browse/HBASE-25432 > Project: HBase > Issue Type: Bug >Reporter: lujie >Priority: Blocker > Fix For: 3.0.0-alpha-1, 1.7.0, 2.3.4, 2.5.0, 2.4.1 > > Attachments: HBASE-25432_1.patch > > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (HBASE-25432) we should add security checks for setTableStateInMeta
[ https://issues.apache.org/jira/browse/HBASE-25432?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17253928#comment-17253928 ] lujie commented on HBASE-25432: --- yes, i will try my best to fix it. > we should add security checks for setTableStateInMeta > - > > Key: HBASE-25432 > URL: https://issues.apache.org/jira/browse/HBASE-25432 > Project: HBase > Issue Type: Bug >Reporter: lujie >Priority: Blocker > Fix For: 3.0.0-alpha-1, 1.7.0, 2.3.4, 2.5.0, 2.4.1 > > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Comment Edited] (HBASE-25432) we should add security checks for setTableStateInMeta
[ https://issues.apache.org/jira/browse/HBASE-25432?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17253911#comment-17253911 ] lujie edited comment on HBASE-25432 at 12/23/20, 6:44 AM: -- We also find that Hbck.fixMeta also lack of security check, non-admin can also fix the meta, below is log! 2020-12-23 06:26:20,947 INFO [RpcServer.default.FPBQ.Fifo.handler=28,queue=1,port=16000] master.MetaFixer: Fixed hole by adding \{ENCODED => e70948da53cc8a6ce7f7a270a53b884a, NAME => 'TestTable,051557,1608704780922.e70948da53cc8a6ce7f7a270a53b884a.', STARTKEY => '051557', ENDKEY => '056244'}; region is NOT assigned (assign to online) it seems that one user can write region into other users' table! was (Author: xiaoheipangzi): We also find that Hbck.fixMeta also lack of security check, non-admin can also fix the meta, below is log! 2020-12-23 06:26:20,947 INFO [RpcServer.default.FPBQ.Fifo.handler=28,queue=1,port=16000] master.MetaFixer: Fixed hole by adding \{ENCODED => e70948da53cc8a6ce7f7a270a53b884a, NAME => 'TestTable,051557,1608704780922.e70948da53cc8a6ce7f7a270a53b884a.', STARTKEY => '051557', ENDKEY => '056244'}; region is NOT assigned (assign to online) > we should add security checks for setTableStateInMeta > - > > Key: HBASE-25432 > URL: https://issues.apache.org/jira/browse/HBASE-25432 > Project: HBase > Issue Type: Bug >Reporter: lujie >Priority: Blocker > Fix For: 3.0.0-alpha-1, 1.7.0, 2.3.4, 2.5.0, 2.4.1 > > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (HBASE-25432) we should add security checks for setTableStateInMeta
[ https://issues.apache.org/jira/browse/HBASE-25432?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17253911#comment-17253911 ] lujie commented on HBASE-25432: --- We also find that Hbck.fixMeta also lack of security check, non-admin can also fix the meta, below is log! 2020-12-23 06:26:20,947 INFO [RpcServer.default.FPBQ.Fifo.handler=28,queue=1,port=16000] master.MetaFixer: Fixed hole by adding \{ENCODED => e70948da53cc8a6ce7f7a270a53b884a, NAME => 'TestTable,051557,1608704780922.e70948da53cc8a6ce7f7a270a53b884a.', STARTKEY => '051557', ENDKEY => '056244'}; region is NOT assigned (assign to online) > we should add security checks for setTableStateInMeta > - > > Key: HBASE-25432 > URL: https://issues.apache.org/jira/browse/HBASE-25432 > Project: HBase > Issue Type: Bug >Reporter: lujie >Priority: Blocker > Fix For: 3.0.0-alpha-1, 1.7.0, 2.3.4, 2.5.0, 2.4.1 > > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (HBASE-25407) list_regions make potential sensitive information disclosure
[ https://issues.apache.org/jira/browse/HBASE-25407?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17253845#comment-17253845 ] lujie commented on HBASE-25407: --- [~vjasani] {code:java} As far as this one is concerned, this doesn't seem security bug. Region location data is public and the ability to locate regions by any client is fundamental to how HBase works. {code} Hum, what i concerned is inconsistency. Table 'test' is not visable to user1, e.g. command 'list' will not return 'test' to user1. But user1 still can list regions of 'test'. Region belong to one table, so its data should only be public to the users who can access the table. If the table is not visable to user1, user1 should also not able to see the regions locations. Maybe is not a security bug,but we need to handle this inconsistency. {code:java} Knowing a region’s location doesn’t give a potential attacker any access to the data {code} Yes, if we build perfect access control, the region infomation will be useless. But we still need follow{color:#FF} Least Privilege principle{color}: Only the minimum level of access for users is granted, because it is hard to guarantee that there is no securiry bugs in system. For example, issues HBASE-6246 and HBASE-15132 need region infomation to exploit and If we keep region infomation only be puclic to users who can access it, it will decrease the possibility of being attacked > list_regions make potential sensitive information disclosure > > > Key: HBASE-25407 > URL: https://issues.apache.org/jira/browse/HBASE-25407 > Project: HBase > Issue Type: Bug >Reporter: lujie >Priority: Critical > Attachments: image-2020-12-18-13-00-20-126.png, > image-2020-12-18-13-07-00-777.png > > > I found that I can get other users' region information which is not expected. > > For example i create a table as sysadmin, then I can read the region > information as user1. > !image-2020-12-18-13-00-20-126.png! > > I have found that list_regions is introduced by > https://issues.apache.org/jira/browse/HBASE-14925 > > we can also get the region info by rest > > !image-2020-12-18-13-07-00-777.png! > > i think if we expose more informaiton, we will be in more danger case, and > even be attacked by others. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25432) we should add security checks for setTableStateInMeta
[ https://issues.apache.org/jira/browse/HBASE-25432?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25432: -- Description: (was: t) > we should add security checks for setTableStateInMeta > - > > Key: HBASE-25432 > URL: https://issues.apache.org/jira/browse/HBASE-25432 > Project: HBase > Issue Type: Bug >Reporter: lujie >Priority: Blocker > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25432) we should add security checks for setTableStateInMeta
[ https://issues.apache.org/jira/browse/HBASE-25432?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25432: -- Priority: Blocker (was: Major) > we should add security checks for setTableStateInMeta > - > > Key: HBASE-25432 > URL: https://issues.apache.org/jira/browse/HBASE-25432 > Project: HBase > Issue Type: Bug >Reporter: lujie >Priority: Blocker > > t -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25432) we should add security checks for setTableStateInMeta
[ https://issues.apache.org/jira/browse/HBASE-25432?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25432: -- Description: t > we should add security checks for setTableStateInMeta > - > > Key: HBASE-25432 > URL: https://issues.apache.org/jira/browse/HBASE-25432 > Project: HBase > Issue Type: Bug >Reporter: lujie >Priority: Major > > t -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25432) we should add security checks for setTableStateInMeta
[ https://issues.apache.org/jira/browse/HBASE-25432?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25432: -- Description: (was: setTableStateInMeta is public, that means anyone can call it.) > we should add security checks for setTableStateInMeta > - > > Key: HBASE-25432 > URL: https://issues.apache.org/jira/browse/HBASE-25432 > Project: HBase > Issue Type: Bug >Reporter: lujie >Priority: Major > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25432) we should add security checks for setTableStateInMeta
[ https://issues.apache.org/jira/browse/HBASE-25432?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25432: -- Description: setTableStateInMeta is public, that means anyone can call it. (was: setTableStateInMeta is public, thiat means anyone can call it.) > we should add security checks for setTableStateInMeta > - > > Key: HBASE-25432 > URL: https://issues.apache.org/jira/browse/HBASE-25432 > Project: HBase > Issue Type: Bug >Reporter: lujie >Priority: Major > > setTableStateInMeta is public, that means anyone can call it. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25432) we should add security checks for setTableStateInMeta
[ https://issues.apache.org/jira/browse/HBASE-25432?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25432: -- Description: setTableStateInMeta is public, this mean anyone can call it. > we should add security checks for setTableStateInMeta > - > > Key: HBASE-25432 > URL: https://issues.apache.org/jira/browse/HBASE-25432 > Project: HBase > Issue Type: Bug >Reporter: lujie >Priority: Major > > setTableStateInMeta is public, this mean anyone can call it. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Reopened] (HBASE-25432) we should add security checks for setTableStateInMeta
[ https://issues.apache.org/jira/browse/HBASE-25432?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie reopened HBASE-25432: --- > we should add security checks for setTableStateInMeta > - > > Key: HBASE-25432 > URL: https://issues.apache.org/jira/browse/HBASE-25432 > Project: HBase > Issue Type: Bug >Reporter: lujie >Priority: Major > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25432) we should add security checks for setTableStateInMeta
[ https://issues.apache.org/jira/browse/HBASE-25432?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25432: -- Description: setTableStateInMeta is public, thiat means anyone can call it. (was: setTableStateInMeta is public, this mean anyone can call it.) > we should add security checks for setTableStateInMeta > - > > Key: HBASE-25432 > URL: https://issues.apache.org/jira/browse/HBASE-25432 > Project: HBase > Issue Type: Bug >Reporter: lujie >Priority: Major > > setTableStateInMeta is public, thiat means anyone can call it. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25432) we should add security checks for setTableStateInMeta
[ https://issues.apache.org/jira/browse/HBASE-25432?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25432: -- Summary: we should add security checks for setTableStateInMeta (was: we should add security checks for list_namespace_tables) > we should add security checks for setTableStateInMeta > - > > Key: HBASE-25432 > URL: https://issues.apache.org/jira/browse/HBASE-25432 > Project: HBase > Issue Type: Bug >Reporter: lujie >Priority: Major > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Resolved] (HBASE-25432) we should add security checks for list_namespace_tables
[ https://issues.apache.org/jira/browse/HBASE-25432?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie resolved HBASE-25432. --- Resolution: Not A Problem > we should add security checks for list_namespace_tables > --- > > Key: HBASE-25432 > URL: https://issues.apache.org/jira/browse/HBASE-25432 > Project: HBase > Issue Type: Bug >Reporter: lujie >Priority: Major > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25432) we should add security checks for list_namespace_tables
[ https://issues.apache.org/jira/browse/HBASE-25432?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25432: -- Description: (was: list_namespace_tables miss security check. listTableDescriptorsByNamespace has security check, but it is useless. code of listTableDescriptorsByNamespace is {code:java} public List listTableDescriptorsByNamespace(String name) throws IOException { checkInitialized(); return listTableDescriptors(name, null, null, true); } {code} listTableDescriptors code is {code:java} public List listTableDescriptors(final String namespace, final String regex, final List tableNameList, final boolean includeSysTables) throws IOException { List htds = new ArrayList<>(); if (cpHost != null) { cpHost.preGetTableDescriptors(tableNameList, htds, regex); } htds = getTableDescriptors(htds, namespace, regex, tableNameList, includeSysTables); if (cpHost != null) { cpHost.postGetTableDescriptors(tableNameList, htds, regex); } return htds; } {code} we can see that tableNameList is empty. in the AccessController, empty tableNameList is empty: {code:java} public void preGetTableDescriptors(ObserverContext ctx, List tableNamesList, List descriptors, String regex) throws IOException { // We are delegating the authorization check to postGetTableDescriptors as we don't have // any concrete set of table names when a regex is present or the full list is requested. if (regex == null && tableNamesList != null && !tableNamesList.isEmpty()) { // Otherwise, if the requestor has ADMIN or CREATE privs for all listed tables, the // request can be granted. try (Admin admin = ctx.getEnvironment().getConnection().getAdmin()) { for (TableName tableName : tableNamesList) { // Skip checks for a table that does not exist if (!admin.tableExists(tableName)) { continue; } requirePermission(ctx, "getTableDescriptors", tableName, null, null, Action.ADMIN, Action.CREATE); } } } } {code} ) > we should add security checks for list_namespace_tables > --- > > Key: HBASE-25432 > URL: https://issues.apache.org/jira/browse/HBASE-25432 > Project: HBase > Issue Type: Bug >Reporter: lujie >Priority: Major > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25432) we should add security checks for list_namespace_tables
[ https://issues.apache.org/jira/browse/HBASE-25432?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25432: -- Summary: we should add security checks for list_namespace_tables (was: we should add security checks for list_namespace_tables and fix securiry hole in listTableDescriptorsByNamespace) > we should add security checks for list_namespace_tables > --- > > Key: HBASE-25432 > URL: https://issues.apache.org/jira/browse/HBASE-25432 > Project: HBase > Issue Type: Bug >Reporter: lujie >Priority: Major > > list_namespace_tables miss security check. > listTableDescriptorsByNamespace has security check, but it is useless. > code of listTableDescriptorsByNamespace is > > {code:java} > public List listTableDescriptorsByNamespace(String name) > throws IOException { > checkInitialized(); > return listTableDescriptors(name, null, null, true); > } > {code} > listTableDescriptors code is > {code:java} > public List listTableDescriptors(final String namespace, > final String regex, > final List tableNameList, final boolean includeSysTables) > throws IOException { > List htds = new ArrayList<>(); > if (cpHost != null) { > cpHost.preGetTableDescriptors(tableNameList, htds, regex); > } > htds = getTableDescriptors(htds, namespace, regex, tableNameList, > includeSysTables); > if (cpHost != null) { > cpHost.postGetTableDescriptors(tableNameList, htds, regex); > } > return htds; > } > {code} > we can see that tableNameList is empty. > in the AccessController, empty tableNameList is empty: > {code:java} > public void > preGetTableDescriptors(ObserverContext ctx, >List tableNamesList, List descriptors, >String regex) throws IOException { > // We are delegating the authorization check to postGetTableDescriptors > as we don't have > // any concrete set of table names when a regex is present or the full > list is requested. > if (regex == null && tableNamesList != null && !tableNamesList.isEmpty()) > { > // Otherwise, if the requestor has ADMIN or CREATE privs for all listed > tables, the > // request can be granted. > try (Admin admin = ctx.getEnvironment().getConnection().getAdmin()) { > for (TableName tableName : tableNamesList) { > // Skip checks for a table that does not exist > if (!admin.tableExists(tableName)) { > continue; > } > requirePermission(ctx, "getTableDescriptors", tableName, null, > null, Action.ADMIN, > Action.CREATE); > } > } > } > } > {code} > > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25432) we should add security checks for list_namespace_tables and fix securiry hole in listTableDescriptorsByNamespace
[ https://issues.apache.org/jira/browse/HBASE-25432?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25432: -- Description: list_namespace_tables miss security check. listTableDescriptorsByNamespace has security check, but it is useless. code of listTableDescriptorsByNamespace is {code:java} public List listTableDescriptorsByNamespace(String name) throws IOException { checkInitialized(); return listTableDescriptors(name, null, null, true); } {code} listTableDescriptors code is {code:java} public List listTableDescriptors(final String namespace, final String regex, final List tableNameList, final boolean includeSysTables) throws IOException { List htds = new ArrayList<>(); if (cpHost != null) { cpHost.preGetTableDescriptors(tableNameList, htds, regex); } htds = getTableDescriptors(htds, namespace, regex, tableNameList, includeSysTables); if (cpHost != null) { cpHost.postGetTableDescriptors(tableNameList, htds, regex); } return htds; } {code} we can see that tableNameList is empty. in the AccessController, empty tableNameList is empty: {code:java} public void preGetTableDescriptors(ObserverContext ctx, List tableNamesList, List descriptors, String regex) throws IOException { // We are delegating the authorization check to postGetTableDescriptors as we don't have // any concrete set of table names when a regex is present or the full list is requested. if (regex == null && tableNamesList != null && !tableNamesList.isEmpty()) { // Otherwise, if the requestor has ADMIN or CREATE privs for all listed tables, the // request can be granted. try (Admin admin = ctx.getEnvironment().getConnection().getAdmin()) { for (TableName tableName : tableNamesList) { // Skip checks for a table that does not exist if (!admin.tableExists(tableName)) { continue; } requirePermission(ctx, "getTableDescriptors", tableName, null, null, Action.ADMIN, Action.CREATE); } } } } {code} was: list_namespace_tables miss security check. Even > we should add security checks for list_namespace_tables and fix securiry hole > in listTableDescriptorsByNamespace > > > Key: HBASE-25432 > URL: https://issues.apache.org/jira/browse/HBASE-25432 > Project: HBase > Issue Type: Bug >Reporter: lujie >Priority: Major > > list_namespace_tables miss security check. > listTableDescriptorsByNamespace has security check, but it is useless. > code of listTableDescriptorsByNamespace is > > {code:java} > public List listTableDescriptorsByNamespace(String name) > throws IOException { > checkInitialized(); > return listTableDescriptors(name, null, null, true); > } > {code} > listTableDescriptors code is > {code:java} > public List listTableDescriptors(final String namespace, > final String regex, > final List tableNameList, final boolean includeSysTables) > throws IOException { > List htds = new ArrayList<>(); > if (cpHost != null) { > cpHost.preGetTableDescriptors(tableNameList, htds, regex); > } > htds = getTableDescriptors(htds, namespace, regex, tableNameList, > includeSysTables); > if (cpHost != null) { > cpHost.postGetTableDescriptors(tableNameList, htds, regex); > } > return htds; > } > {code} > we can see that tableNameList is empty. > in the AccessController, empty tableNameList is empty: > {code:java} > public void > preGetTableDescriptors(ObserverContext ctx, >List tableNamesList, List descriptors, >String regex) throws IOException { > // We are delegating the authorization check to postGetTableDescriptors > as we don't have > // any concrete set of table names when a regex is present or the full > list is requested. > if (regex == null && tableNamesList != null && !tableNamesList.isEmpty()) > { > // Otherwise, if the requestor has ADMIN or CREATE privs for all listed > tables, the > // request can be granted. > try (Admin admin = ctx.getEnvironment().getConnection().getAdmin()) { > for (TableName tableName : tableNamesList) { > // Skip checks for a table that does not exist > if (!admin.tableExists(tableName)) { > continue; > } > requirePermission(ctx, "getTableDescriptors", tableName, null, > null, Action.ADMIN, > Action.CREATE); > } > } > } > } > {code} > > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25432) we should add security checks for list_namespace_tables and fix securiry hole in listTableDescriptorsByNamespace
[ https://issues.apache.org/jira/browse/HBASE-25432?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25432: -- Description: list_namespace_tables miss security check. was:list_namespace_tables has no security check. Even > we should add security checks for list_namespace_tables and fix securiry hole > in listTableDescriptorsByNamespace > > > Key: HBASE-25432 > URL: https://issues.apache.org/jira/browse/HBASE-25432 > Project: HBase > Issue Type: Bug >Reporter: lujie >Priority: Major > > list_namespace_tables miss security check. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25432) we should add security checks for list_namespace_tables and fix securiry hole in listTableDescriptorsByNamespace
[ https://issues.apache.org/jira/browse/HBASE-25432?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25432: -- Summary: we should add security checks for list_namespace_tables and fix securiry hole in listTableDescriptorsByNamespace (was: we should add security checks for list_namespace_tables and listTableDescriptorsByNamespace) > we should add security checks for list_namespace_tables and fix securiry hole > in listTableDescriptorsByNamespace > > > Key: HBASE-25432 > URL: https://issues.apache.org/jira/browse/HBASE-25432 > Project: HBase > Issue Type: Bug >Reporter: lujie >Priority: Major > > list_namespace_tables has no security check. Even -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25432) we should add security checks for list_namespace_tables and fix securiry hole in listTableDescriptorsByNamespace
[ https://issues.apache.org/jira/browse/HBASE-25432?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25432: -- Description: list_namespace_tables miss security check. Even was: list_namespace_tables miss security check. > we should add security checks for list_namespace_tables and fix securiry hole > in listTableDescriptorsByNamespace > > > Key: HBASE-25432 > URL: https://issues.apache.org/jira/browse/HBASE-25432 > Project: HBase > Issue Type: Bug >Reporter: lujie >Priority: Major > > list_namespace_tables miss security check. > Even -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25432) we should add security checks for list_namespace_tables and listTableDescriptorsByNamespace
[ https://issues.apache.org/jira/browse/HBASE-25432?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25432: -- Description: list_namespace_tables has no > we should add security checks for list_namespace_tables and > listTableDescriptorsByNamespace > --- > > Key: HBASE-25432 > URL: https://issues.apache.org/jira/browse/HBASE-25432 > Project: HBase > Issue Type: Bug >Reporter: lujie >Priority: Major > > list_namespace_tables has no -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25432) we should add security checks for list_namespace_tables and listTableDescriptorsByNamespace
[ https://issues.apache.org/jira/browse/HBASE-25432?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25432: -- Description: list_namespace_tables has no security check. Even (was: list_namespace_tables has no ) > we should add security checks for list_namespace_tables and > listTableDescriptorsByNamespace > --- > > Key: HBASE-25432 > URL: https://issues.apache.org/jira/browse/HBASE-25432 > Project: HBase > Issue Type: Bug >Reporter: lujie >Priority: Major > > list_namespace_tables has no security check. Even -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25432) we should add security checks for list_namespace_tables and listTableDescriptorsByNamespace
[ https://issues.apache.org/jira/browse/HBASE-25432?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25432: -- Summary: we should add security checks for list_namespace_tables and listTableDescriptorsByNamespace (was: we should add missing security checks for list_namespace_tables and listTableDescriptorsByNamespace) > we should add security checks for list_namespace_tables and > listTableDescriptorsByNamespace > --- > > Key: HBASE-25432 > URL: https://issues.apache.org/jira/browse/HBASE-25432 > Project: HBase > Issue Type: Bug >Reporter: lujie >Priority: Major > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (HBASE-25432) we should add missing security checks for list_namespace_tables and listTableDescriptorsByNamespace
lujie created HBASE-25432: - Summary: we should add missing security checks for list_namespace_tables and listTableDescriptorsByNamespace Key: HBASE-25432 URL: https://issues.apache.org/jira/browse/HBASE-25432 Project: HBase Issue Type: Bug Reporter: lujie -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25422) update_all_config should not be executed by non-admin user!!!
[ https://issues.apache.org/jira/browse/HBASE-25422?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25422: -- Priority: Critical (was: Major) > update_all_config should not be executed by non-admin user!!! > - > > Key: HBASE-25422 > URL: https://issues.apache.org/jira/browse/HBASE-25422 > Project: HBase > Issue Type: Bug >Reporter: lujie >Priority: Critical > Attachments: image-2020-12-20-12-50-23-433.png > > > !image-2020-12-20-12-50-23-433.png! -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25422) update_all_config should not be executed by non-admin user!!!
[ https://issues.apache.org/jira/browse/HBASE-25422?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25422: -- Summary: update_all_config should not be executed by non-admin user!!! (was: update_all_config can be executed by non-admin user) > update_all_config should not be executed by non-admin user!!! > - > > Key: HBASE-25422 > URL: https://issues.apache.org/jira/browse/HBASE-25422 > Project: HBase > Issue Type: Bug >Reporter: lujie >Priority: Major > Attachments: image-2020-12-20-12-50-23-433.png > > > !image-2020-12-20-12-50-23-433.png! -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (HBASE-25422) update_all_config can be executed by non-admin user
lujie created HBASE-25422: - Summary: update_all_config can be executed by non-admin user Key: HBASE-25422 URL: https://issues.apache.org/jira/browse/HBASE-25422 Project: HBase Issue Type: Bug Reporter: lujie Attachments: image-2020-12-20-12-50-23-433.png !image-2020-12-20-12-50-23-433.png! -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25407) list_regions make potential sensitive information disclosure
[ https://issues.apache.org/jira/browse/HBASE-25407?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25407: -- Description: I found that I can get other users' region information which is not expected. For example i create a table as sysadmin, then I can read the region information as user1. !image-2020-12-18-13-00-20-126.png! I have found that list_regions is introduced by https://issues.apache.org/jira/browse/HBASE-14925 we can also get the region info by rest !image-2020-12-18-13-07-00-777.png! i think if we expose more informaiton, we will be in more danger case, and even be attacked by others. was: I found that I can get other users' region information which is not expected. For example i create a table as sysadmin, then I can read the region information as user1. !image-2020-12-18-13-00-20-126.png! I have found that list_regions is introduced by https://issues.apache.org/jira/browse/HBASE-14925 we can also get the region info by rest !image-2020-12-18-13-07-00-777.png! i think we expose more informaiton, we will be in more danger case, and even be attacked by others. > list_regions make potential sensitive information disclosure > > > Key: HBASE-25407 > URL: https://issues.apache.org/jira/browse/HBASE-25407 > Project: HBase > Issue Type: Bug >Reporter: lujie >Priority: Critical > Fix For: 3.0.0-alpha-1, 1.7.0, 2.2.7, 2.3.4, 2.5.0, 2.4.1 > > Attachments: image-2020-12-18-13-00-20-126.png, > image-2020-12-18-13-07-00-777.png > > > I found that I can get other users' region information which is not expected. > > For example i create a table as sysadmin, then I can read the region > information as user1. > !image-2020-12-18-13-00-20-126.png! > > I have found that list_regions is introduced by > https://issues.apache.org/jira/browse/HBASE-14925 > > we can also get the region info by rest > > !image-2020-12-18-13-07-00-777.png! > > i think if we expose more informaiton, we will be in more danger case, and > even be attacked by others. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25407) list_regions make potential sensitive information disclosure
[ https://issues.apache.org/jira/browse/HBASE-25407?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25407: -- Description: I found that I can get other users' region information which is not expected. For example i create a table as sysadmin, then I can read the region information as user1. !image-2020-12-18-13-00-20-126.png! I have found that list_regions is introduced by https://issues.apache.org/jira/browse/HBASE-14925 we can also get the region info by rest !image-2020-12-18-13-07-00-777.png! i think we expose more informaiton, we will be in more danger case, and even be attacked by others. was: I found that I can get other users' region information which is not expected. For example i create a table as sysadmin, then I can read the region information as user1. !image-2020-12-18-13-00-20-126.png! I have found that list_regions is introduced by https://issues.apache.org/jira/browse/HBASE-14925 we can also get the region info by rest !image-2020-12-18-13-07-00-777.png! I am just confused about why there is no ACL on the regions, because i think we expose more informaiton, we will be in more danger case, and even be attacked by others. > list_regions make potential sensitive information disclosure > > > Key: HBASE-25407 > URL: https://issues.apache.org/jira/browse/HBASE-25407 > Project: HBase > Issue Type: Bug >Reporter: lujie >Priority: Critical > Fix For: 3.0.0-alpha-1, 1.7.0, 2.2.7, 2.3.4, 2.5.0, 2.4.1 > > Attachments: image-2020-12-18-13-00-20-126.png, > image-2020-12-18-13-07-00-777.png > > > I found that I can get other users' region information which is not expected. > > For example i create a table as sysadmin, then I can read the region > information as user1. > !image-2020-12-18-13-00-20-126.png! > > I have found that list_regions is introduced by > https://issues.apache.org/jira/browse/HBASE-14925 > > we can also get the region info by rest > > !image-2020-12-18-13-07-00-777.png! > > i think we expose more informaiton, we will be in more danger case, and even > be attacked by others. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25407) list_regions make potential sensitive information disclosure
[ https://issues.apache.org/jira/browse/HBASE-25407?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25407: -- Description: I found that I can get other users' region information which is not expected. For example i create a table as sysadmin, then I can read the region information as user1. !image-2020-12-18-13-00-20-126.png! I have found that list_regions is introduced by https://issues.apache.org/jira/browse/HBASE-14925 we can also get the region info by rest !image-2020-12-18-13-07-00-777.png! I am just confused about why there is no ACL on the regions, because i think we expose more informaiton, we will be in more danger case, and even be attacked by others. was: I found that I can get other users' region information which is not expected. For example i create a table as sysadmin, then I can read the region information as user1. !image-2020-12-18-13-00-20-126.png! I have found that list_regions is introduced by https://issues.apache.org/jira/browse/HBASE-14925 > list_regions make potential sensitive information disclosure > > > Key: HBASE-25407 > URL: https://issues.apache.org/jira/browse/HBASE-25407 > Project: HBase > Issue Type: Bug >Reporter: lujie >Priority: Critical > Attachments: image-2020-12-18-13-00-20-126.png, > image-2020-12-18-13-07-00-777.png > > > I found that I can get other users' region information which is not expected. > > For example i create a table as sysadmin, then I can read the region > information as user1. > !image-2020-12-18-13-00-20-126.png! > > I have found that list_regions is introduced by > https://issues.apache.org/jira/browse/HBASE-14925 > > we can also get the region info by rest > > !image-2020-12-18-13-07-00-777.png! > > I am just confused about why there is no ACL on the regions, because i > think we expose more informaiton, we will be in more danger case, and even be > attacked by others. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25407) list_regions make potential sensitive information disclosure
[ https://issues.apache.org/jira/browse/HBASE-25407?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25407: -- Attachment: image-2020-12-18-13-07-00-777.png > list_regions make potential sensitive information disclosure > > > Key: HBASE-25407 > URL: https://issues.apache.org/jira/browse/HBASE-25407 > Project: HBase > Issue Type: Bug >Reporter: lujie >Priority: Critical > Attachments: image-2020-12-18-13-00-20-126.png, > image-2020-12-18-13-07-00-777.png > > > I found that I can get other users' region information which is not expected. > > For example i create a table as sysadmin, then I can read the region > information as user1. > !image-2020-12-18-13-00-20-126.png! > > I have found that list_regions is introduced by > https://issues.apache.org/jira/browse/HBASE-14925 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (HBASE-25407) list_regions make potential sensitive information disclosure
lujie created HBASE-25407: - Summary: list_regions make potential sensitive information disclosure Key: HBASE-25407 URL: https://issues.apache.org/jira/browse/HBASE-25407 Project: HBase Issue Type: Bug Reporter: lujie Attachments: image-2020-12-18-13-00-20-126.png I found that I can get other users' region information which is not expected. For example i create a table as sysadmin, then I can read the region information as user1. !image-2020-12-18-13-00-20-126.png! I have found that list_regions is introduced by https://issues.apache.org/jira/browse/HBASE-14925 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25407) list_regions make potential sensitive information disclosure
[ https://issues.apache.org/jira/browse/HBASE-25407?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25407: -- Priority: Critical (was: Major) > list_regions make potential sensitive information disclosure > > > Key: HBASE-25407 > URL: https://issues.apache.org/jira/browse/HBASE-25407 > Project: HBase > Issue Type: Bug >Reporter: lujie >Priority: Critical > Attachments: image-2020-12-18-13-00-20-126.png > > > I found that I can get other users' region information which is not expected. > > For example i create a table as sysadmin, then I can read the region > information as user1. > !image-2020-12-18-13-00-20-126.png! > > I have found that list_regions is introduced by > https://issues.apache.org/jira/browse/HBASE-14925 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Resolved] (HBASE-25332) one NPE
[ https://issues.apache.org/jira/browse/HBASE-25332?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie resolved HBASE-25332. --- Resolution: Fixed > one NPE > --- > > Key: HBASE-25332 > URL: https://issues.apache.org/jira/browse/HBASE-25332 > Project: HBase > Issue Type: Bug > Components: Zookeeper >Reporter: lujie >Assignee: lujie >Priority: Major > Fix For: 3.0.0-alpha-1, 2.4.0, 2.2.7, 2.3.4 > > > * getData can return null at > > [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-zookeeper/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java#L615] > or > > [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-zookeeper/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java#L619] > all its caller have null checker except at > > [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-server/src/main/java/org/apache/hadoop/hbase/rsgroup/RSGroupInfoManagerImpl.java#L467] > We shoud add null check for pontential NPEs. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Reopened] (HBASE-25332) one NPE
[ https://issues.apache.org/jira/browse/HBASE-25332?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie reopened HBASE-25332: --- > one NPE > --- > > Key: HBASE-25332 > URL: https://issues.apache.org/jira/browse/HBASE-25332 > Project: HBase > Issue Type: Bug > Components: Zookeeper >Reporter: lujie >Assignee: lujie >Priority: Major > Fix For: 3.0.0-alpha-1, 2.4.0, 2.2.7, 2.3.4 > > > * getData can return null at > > [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-zookeeper/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java#L615] > or > > [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-zookeeper/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java#L619] > all its caller have null checker except at > > [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-server/src/main/java/org/apache/hadoop/hbase/rsgroup/RSGroupInfoManagerImpl.java#L467] > We shoud add null check for pontential NPEs. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Resolved] (HBASE-25332) one NPE
[ https://issues.apache.org/jira/browse/HBASE-25332?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie resolved HBASE-25332. --- Resolution: Fixed > one NPE > --- > > Key: HBASE-25332 > URL: https://issues.apache.org/jira/browse/HBASE-25332 > Project: HBase > Issue Type: Bug > Components: Zookeeper >Reporter: lujie >Assignee: lujie >Priority: Major > Fix For: 3.0.0-alpha-1, 2.4.0, 2.2.7, 2.3.4 > > > * getData can return null at > > [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-zookeeper/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java#L615] > or > > [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-zookeeper/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java#L619] > all its caller have null checker except at > > [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-server/src/main/java/org/apache/hadoop/hbase/rsgroup/RSGroupInfoManagerImpl.java#L467] > We shoud add null check for pontential NPEs. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Reopened] (HBASE-25332) one NPE
[ https://issues.apache.org/jira/browse/HBASE-25332?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie reopened HBASE-25332: --- > one NPE > --- > > Key: HBASE-25332 > URL: https://issues.apache.org/jira/browse/HBASE-25332 > Project: HBase > Issue Type: Bug > Components: Zookeeper >Reporter: lujie >Assignee: lujie >Priority: Major > Fix For: 3.0.0-alpha-1, 2.4.0, 2.2.7, 2.3.4 > > > * getData can return null at > > [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-zookeeper/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java#L615] > or > > [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-zookeeper/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java#L619] > all its caller have null checker except at > > [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-server/src/main/java/org/apache/hadoop/hbase/rsgroup/RSGroupInfoManagerImpl.java#L467] > We shoud add null check for pontential NPEs. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Resolved] (HBASE-25332) one NPE
[ https://issues.apache.org/jira/browse/HBASE-25332?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie resolved HBASE-25332. --- Resolution: Fixed > one NPE > --- > > Key: HBASE-25332 > URL: https://issues.apache.org/jira/browse/HBASE-25332 > Project: HBase > Issue Type: Bug > Components: Zookeeper >Reporter: lujie >Assignee: lujie >Priority: Major > Fix For: 3.0.0-alpha-1, 2.4.0, 2.2.7, 2.3.4 > > > * getData can return null at > > [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-zookeeper/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java#L615] > or > > [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-zookeeper/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java#L619] > all its caller have null checker except at > > [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-server/src/main/java/org/apache/hadoop/hbase/rsgroup/RSGroupInfoManagerImpl.java#L467] > We shoud add null check for pontential NPEs. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Reopened] (HBASE-25332) one NPE
[ https://issues.apache.org/jira/browse/HBASE-25332?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie reopened HBASE-25332: --- > one NPE > --- > > Key: HBASE-25332 > URL: https://issues.apache.org/jira/browse/HBASE-25332 > Project: HBase > Issue Type: Bug > Components: Zookeeper >Reporter: lujie >Assignee: lujie >Priority: Major > Fix For: 3.0.0-alpha-1, 2.4.0, 2.2.7, 2.3.4 > > > * getData can return null at > > [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-zookeeper/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java#L615] > or > > [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-zookeeper/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java#L619] > all its caller have null checker except at > > [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-server/src/main/java/org/apache/hadoop/hbase/rsgroup/RSGroupInfoManagerImpl.java#L467] > We shoud add null check for pontential NPEs. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25332) one NPE
[ https://issues.apache.org/jira/browse/HBASE-25332?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25332: -- Summary: one NPE (was: one NPEs) > one NPE > --- > > Key: HBASE-25332 > URL: https://issues.apache.org/jira/browse/HBASE-25332 > Project: HBase > Issue Type: Bug >Reporter: lujie >Assignee: lujie >Priority: Major > > * getData can return null at > > [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-zookeeper/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java#L615] > or > > [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-zookeeper/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java#L619] > all its caller have null checker except at > > [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-server/src/main/java/org/apache/hadoop/hbase/rsgroup/RSGroupInfoManagerImpl.java#L467] > We shoud add null check for pontential NPEs. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25332) one NPEs
[ https://issues.apache.org/jira/browse/HBASE-25332?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25332: -- Summary: one NPEs (was: two NPEs) > one NPEs > > > Key: HBASE-25332 > URL: https://issues.apache.org/jira/browse/HBASE-25332 > Project: HBase > Issue Type: Bug >Reporter: lujie >Assignee: lujie >Priority: Major > > * getData can return null at > > [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-zookeeper/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java#L615] > or > > [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-zookeeper/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java#L619] > all its caller have null checker except at > > [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-server/src/main/java/org/apache/hadoop/hbase/rsgroup/RSGroupInfoManagerImpl.java#L467] > We shoud add null check for pontential NPEs. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25332) two NPEs
[ https://issues.apache.org/jira/browse/HBASE-25332?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25332: -- Description: * getData can return null at [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-zookeeper/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java#L615] or [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-zookeeper/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java#L619] all its caller have null checker except at [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-server/src/main/java/org/apache/hadoop/hbase/rsgroup/RSGroupInfoManagerImpl.java#L467] We shoud add null check for pontential NPEs. was: * getData can return null at [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-zookeeper/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java#L615] or [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-zookeeper/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java#L619] all its caller have null checker except at [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-server/src/main/java/org/apache/hadoop/hbase/rsgroup/RSGroupInfoManagerImpl.java#L467] * peek can return null at [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/KeyValueHeap.java#L108] all its callers have null checker except at [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/ReversedKeyValueHeap.java#L110] We shoud add null check for pontential NPEs. > two NPEs > > > Key: HBASE-25332 > URL: https://issues.apache.org/jira/browse/HBASE-25332 > Project: HBase > Issue Type: Bug >Reporter: lujie >Assignee: lujie >Priority: Major > > * getData can return null at > > [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-zookeeper/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java#L615] > or > > [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-zookeeper/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java#L619] > all its caller have null checker except at > > [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-server/src/main/java/org/apache/hadoop/hbase/rsgroup/RSGroupInfoManagerImpl.java#L467] > We shoud add null check for pontential NPEs. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Assigned] (HBASE-25332) two NPEs
[ https://issues.apache.org/jira/browse/HBASE-25332?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie reassigned HBASE-25332: - Assignee: lujie > two NPEs > > > Key: HBASE-25332 > URL: https://issues.apache.org/jira/browse/HBASE-25332 > Project: HBase > Issue Type: Bug >Reporter: lujie >Assignee: lujie >Priority: Major > > * getData can return null at > > [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-zookeeper/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java#L615] > or > > [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-zookeeper/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java#L619] > all its caller have null checker except at > > [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-server/src/main/java/org/apache/hadoop/hbase/rsgroup/RSGroupInfoManagerImpl.java#L467] > * peek can return null at > > [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/KeyValueHeap.java#L108] > all its callers have null checker except at > > [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/ReversedKeyValueHeap.java#L110] > We shoud add null check for pontential NPEs. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25332) two NPEs
[ https://issues.apache.org/jira/browse/HBASE-25332?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25332: -- Summary: two NPEs (was: One pontential NPE) > two NPEs > > > Key: HBASE-25332 > URL: https://issues.apache.org/jira/browse/HBASE-25332 > Project: HBase > Issue Type: Bug >Reporter: lujie >Priority: Major > > * getData can return null at > > [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-zookeeper/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java#L615] > or > > [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-zookeeper/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java#L619] > all its caller have null checker except at > > [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-server/src/main/java/org/apache/hadoop/hbase/rsgroup/RSGroupInfoManagerImpl.java#L467] > * peek can return null at > > [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/KeyValueHeap.java#L108] > all its callers have null checker except at > > [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/ReversedKeyValueHeap.java#L110] > We shoud add null check for pontential NPEs. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25332) One pontential NPE
[ https://issues.apache.org/jira/browse/HBASE-25332?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25332: -- Description: * getData can return null at [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-zookeeper/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java#L615] or [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-zookeeper/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java#L619] all its caller have null checker except at [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-server/src/main/java/org/apache/hadoop/hbase/rsgroup/RSGroupInfoManagerImpl.java#L467] * peek can return null at [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/KeyValueHeap.java#L108] all its callers have null checker except at [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/ReversedKeyValueHeap.java#L110] We shoud add null check for pontential NPEs. was: * getData can return null at [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-zookeeper/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java#L615] or https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-zookeeper/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java#L619 all its caller have null checker except at [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-server/src/main/java/org/apache/hadoop/hbase/rsgroup/RSGroupInfoManagerImpl.java#L467] * peek can return null at [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/KeyValueHeap.java#L108] all its callers have null checker except at [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/ReversedKeyValueHeap.java#L110] * getRegionStateNodeFromName get return null due to other operation that delete region, see [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-server/src/main/java/org/apache/hadoop/hbase/master/assignment/RegionStates.java#L143] all its callers have null check except at [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-server/src/main/java/org/apache/hadoop/hbase/master/assignment/MergeTableRegionsProcedure.java#L560] We shoud add null check for pontential NPEs. > One pontential NPE > -- > > Key: HBASE-25332 > URL: https://issues.apache.org/jira/browse/HBASE-25332 > Project: HBase > Issue Type: Bug >Reporter: lujie >Priority: Major > > * getData can return null at > > [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-zookeeper/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java#L615] > or > > [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-zookeeper/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java#L619] > all its caller have null checker except at > > [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-server/src/main/java/org/apache/hadoop/hbase/rsgroup/RSGroupInfoManagerImpl.java#L467] > * peek can return null at > > [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/KeyValueHeap.java#L108] > all its callers have null checker except at > > [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/ReversedKeyValueHeap.java#L110] > We shoud add null check for pontential NPEs. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (HBASE-25332) One pontential NPE
[ https://issues.apache.org/jira/browse/HBASE-25332?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated HBASE-25332: -- Description: * getData can return null at [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-zookeeper/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java#L615] or https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-zookeeper/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java#L619 all its caller have null checker except at [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-server/src/main/java/org/apache/hadoop/hbase/rsgroup/RSGroupInfoManagerImpl.java#L467] * peek can return null at [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/KeyValueHeap.java#L108] all its callers have null checker except at [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/ReversedKeyValueHeap.java#L110] * getRegionStateNodeFromName get return null due to other operation that delete region, see [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-server/src/main/java/org/apache/hadoop/hbase/master/assignment/RegionStates.java#L143] all its callers have null check except at [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-server/src/main/java/org/apache/hadoop/hbase/master/assignment/MergeTableRegionsProcedure.java#L560] We shoud add null check for pontential NPEs. was: * getData can return null at [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-zookeeper/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java#L615] or [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-zookeeper/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java#L619|https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-zookeeper/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java#L606] all its caller have null checker except at [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-server/src/main/java/org/apache/hadoop/hbase/rsgroup/RSGroupInfoManagerImpl.java#L467] * peek can return null at [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/KeyValueHeap.java#L108] all its callers have null checker except at [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/ReversedKeyValueHeap.java#L110] * getRegionStateNodeFromName get return null due to other operation that delete region, see [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-server/src/main/java/org/apache/hadoop/hbase/master/assignment/RegionStates.java#L143] all its callers have null check except at [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-server/src/main/java/org/apache/hadoop/hbase/master/assignment/MergeTableRegionsProcedure.java#L560] We shoud add null check for pontential NPEs. > One pontential NPE > -- > > Key: HBASE-25332 > URL: https://issues.apache.org/jira/browse/HBASE-25332 > Project: HBase > Issue Type: Bug >Reporter: lujie >Priority: Major > > * getData can return null at > > [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-zookeeper/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java#L615] > or > https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-zookeeper/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java#L619 > all its caller have null checker except at > > [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-server/src/main/java/org/apache/hadoop/hbase/rsgroup/RSGroupInfoManagerImpl.java#L467] > * peek can return null at > > [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/KeyValueHeap.java#L108] > all its callers have null checker except at > > [https://github.com/apache/hbase/blob/1726160839368df14602da1618e3538955b25f74/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/ReversedKeyValueHeap.java#L110] > * getRegionStateNodeFromName get return null due to other operation that > delete region, see > >