[jira] [Commented] (HBASE-12641) Grant all permissions of hbase zookeeper node to hbase superuser in a secure cluster
[ https://issues.apache.org/jira/browse/HBASE-12641?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14263399#comment-14263399 ] Hudson commented on HBASE-12641: SUCCESS: Integrated in HBase-1.0 #627 (See [https://builds.apache.org/job/HBase-1.0/627/]) HBASE-12641 Grant all permissions of hbase zookeeper node to hbase superuser in a secure cluster (Liu Shaohui) (enis: rev efc3a85473fdd21eadc3e7916907bcff6196f225) * hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZooKeeperWatcher.java * hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java > Grant all permissions of hbase zookeeper node to hbase superuser in a secure > cluster > > > Key: HBASE-12641 > URL: https://issues.apache.org/jira/browse/HBASE-12641 > Project: HBase > Issue Type: Improvement > Components: Zookeeper >Reporter: Liu Shaohui >Assignee: Liu Shaohui >Priority: Minor > Fix For: 1.0.0, 2.0.0, 0.98.10, 1.1.0 > > Attachments: HBASE-12641-v1.diff > > > Currently in a secure cluster, only the master/regionserver kerberos user can > manage the znode of hbase. But he master/regionserver kerberos user is for > rpc connection and we usually use another super user to manage the cluster. > In some special scenarios, we need to manage the data of znode with the > supper user. > eg: > a, To get the data of the znode for debugging. > b, HBASE-8253: We need to delete the znode for the corrupted hlog to avoid it > block the replication. > So we grant all permissions of hbase zookeeper node to hbase superuser during > creating these znodes. > Suggestions are welcomed. > [~apurtell] -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-12641) Grant all permissions of hbase zookeeper node to hbase superuser in a secure cluster
[ https://issues.apache.org/jira/browse/HBASE-12641?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14263367#comment-14263367 ] Enis Soztutar commented on HBASE-12641: --- I've pushed this to 1.0.0 as well. Is reading the configuration everytime we create a znode expensive? > Grant all permissions of hbase zookeeper node to hbase superuser in a secure > cluster > > > Key: HBASE-12641 > URL: https://issues.apache.org/jira/browse/HBASE-12641 > Project: HBase > Issue Type: Improvement > Components: Zookeeper >Reporter: Liu Shaohui >Assignee: Liu Shaohui >Priority: Minor > Fix For: 1.0.0, 2.0.0, 0.98.10, 1.1.0 > > Attachments: HBASE-12641-v1.diff > > > Currently in a secure cluster, only the master/regionserver kerberos user can > manage the znode of hbase. But he master/regionserver kerberos user is for > rpc connection and we usually use another super user to manage the cluster. > In some special scenarios, we need to manage the data of znode with the > supper user. > eg: > a, To get the data of the znode for debugging. > b, HBASE-8253: We need to delete the znode for the corrupted hlog to avoid it > block the replication. > So we grant all permissions of hbase zookeeper node to hbase superuser during > creating these znodes. > Suggestions are welcomed. > [~apurtell] -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-12641) Grant all permissions of hbase zookeeper node to hbase superuser in a secure cluster
[ https://issues.apache.org/jira/browse/HBASE-12641?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14262832#comment-14262832 ] Hudson commented on HBASE-12641: FAILURE: Integrated in HBase-0.98-on-Hadoop-1.1 #737 (See [https://builds.apache.org/job/HBase-0.98-on-Hadoop-1.1/737/]) HBASE-12641 Grant all permissions of hbase zookeeper node to hbase superuser in a secure cluster (Liu Shaohui) (apurtell: rev efc49a745fa198e8f5ed9abe76392e6fff836d75) * hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java * hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZooKeeperWatcher.java > Grant all permissions of hbase zookeeper node to hbase superuser in a secure > cluster > > > Key: HBASE-12641 > URL: https://issues.apache.org/jira/browse/HBASE-12641 > Project: HBase > Issue Type: Improvement > Components: Zookeeper >Reporter: Liu Shaohui >Assignee: Liu Shaohui >Priority: Minor > Fix For: 2.0.0, 0.98.10, 1.1.0 > > Attachments: HBASE-12641-v1.diff > > > Currently in a secure cluster, only the master/regionserver kerberos user can > manage the znode of hbase. But he master/regionserver kerberos user is for > rpc connection and we usually use another super user to manage the cluster. > In some special scenarios, we need to manage the data of znode with the > supper user. > eg: > a, To get the data of the znode for debugging. > b, HBASE-8253: We need to delete the znode for the corrupted hlog to avoid it > block the replication. > So we grant all permissions of hbase zookeeper node to hbase superuser during > creating these znodes. > Suggestions are welcomed. > [~apurtell] -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-12641) Grant all permissions of hbase zookeeper node to hbase superuser in a secure cluster
[ https://issues.apache.org/jira/browse/HBASE-12641?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14262822#comment-14262822 ] Hudson commented on HBASE-12641: FAILURE: Integrated in HBase-0.98 #772 (See [https://builds.apache.org/job/HBase-0.98/772/]) HBASE-12641 Grant all permissions of hbase zookeeper node to hbase superuser in a secure cluster (Liu Shaohui) (apurtell: rev efc49a745fa198e8f5ed9abe76392e6fff836d75) * hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java * hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZooKeeperWatcher.java > Grant all permissions of hbase zookeeper node to hbase superuser in a secure > cluster > > > Key: HBASE-12641 > URL: https://issues.apache.org/jira/browse/HBASE-12641 > Project: HBase > Issue Type: Improvement > Components: Zookeeper >Reporter: Liu Shaohui >Assignee: Liu Shaohui >Priority: Minor > Fix For: 2.0.0, 0.98.10, 1.1.0 > > Attachments: HBASE-12641-v1.diff > > > Currently in a secure cluster, only the master/regionserver kerberos user can > manage the znode of hbase. But he master/regionserver kerberos user is for > rpc connection and we usually use another super user to manage the cluster. > In some special scenarios, we need to manage the data of znode with the > supper user. > eg: > a, To get the data of the znode for debugging. > b, HBASE-8253: We need to delete the znode for the corrupted hlog to avoid it > block the replication. > So we grant all permissions of hbase zookeeper node to hbase superuser during > creating these znodes. > Suggestions are welcomed. > [~apurtell] -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-12641) Grant all permissions of hbase zookeeper node to hbase superuser in a secure cluster
[ https://issues.apache.org/jira/browse/HBASE-12641?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14259588#comment-14259588 ] Hudson commented on HBASE-12641: SUCCESS: Integrated in HBase-TRUNK #5969 (See [https://builds.apache.org/job/HBase-TRUNK/5969/]) HBASE-12641 Grant all permissions of hbase zookeeper node to hbase superuser in a secure cluster (Liu Shaohui) (stack: rev a8766fd623e5679b13600646ac2808e733f98d07) * hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java * hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZooKeeperWatcher.java > Grant all permissions of hbase zookeeper node to hbase superuser in a secure > cluster > > > Key: HBASE-12641 > URL: https://issues.apache.org/jira/browse/HBASE-12641 > Project: HBase > Issue Type: Improvement > Components: Zookeeper >Reporter: Liu Shaohui >Assignee: Liu Shaohui >Priority: Minor > Fix For: 2.0.0, 1.1.0 > > Attachments: HBASE-12641-v1.diff > > > Currently in a secure cluster, only the master/regionserver kerberos user can > manage the znode of hbase. But he master/regionserver kerberos user is for > rpc connection and we usually use another super user to manage the cluster. > In some special scenarios, we need to manage the data of znode with the > supper user. > eg: > a, To get the data of the znode for debugging. > b, HBASE-8253: We need to delete the znode for the corrupted hlog to avoid it > block the replication. > So we grant all permissions of hbase zookeeper node to hbase superuser during > creating these znodes. > Suggestions are welcomed. > [~apurtell] -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-12641) Grant all permissions of hbase zookeeper node to hbase superuser in a secure cluster
[ https://issues.apache.org/jira/browse/HBASE-12641?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14259584#comment-14259584 ] Hudson commented on HBASE-12641: SUCCESS: Integrated in HBase-1.1 #28 (See [https://builds.apache.org/job/HBase-1.1/28/]) HBASE-12641 Grant all permissions of hbase zookeeper node to hbase superuser in a secure cluster (Liu Shaohui) (stack: rev 826bcf1bb9e5a750fd649d8e0165c2a51c446ac1) * hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java * hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZooKeeperWatcher.java > Grant all permissions of hbase zookeeper node to hbase superuser in a secure > cluster > > > Key: HBASE-12641 > URL: https://issues.apache.org/jira/browse/HBASE-12641 > Project: HBase > Issue Type: Improvement > Components: Zookeeper >Reporter: Liu Shaohui >Assignee: Liu Shaohui >Priority: Minor > Fix For: 2.0.0, 1.1.0 > > Attachments: HBASE-12641-v1.diff > > > Currently in a secure cluster, only the master/regionserver kerberos user can > manage the znode of hbase. But he master/regionserver kerberos user is for > rpc connection and we usually use another super user to manage the cluster. > In some special scenarios, we need to manage the data of znode with the > supper user. > eg: > a, To get the data of the znode for debugging. > b, HBASE-8253: We need to delete the znode for the corrupted hlog to avoid it > block the replication. > So we grant all permissions of hbase zookeeper node to hbase superuser during > creating these znodes. > Suggestions are welcomed. > [~apurtell] -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-12641) Grant all permissions of hbase zookeeper node to hbase superuser in a secure cluster
[ https://issues.apache.org/jira/browse/HBASE-12641?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14258458#comment-14258458 ] Andrew Purtell commented on HBASE-12641: +1 > Grant all permissions of hbase zookeeper node to hbase superuser in a secure > cluster > > > Key: HBASE-12641 > URL: https://issues.apache.org/jira/browse/HBASE-12641 > Project: HBase > Issue Type: Improvement > Components: Zookeeper >Reporter: Liu Shaohui >Assignee: Liu Shaohui >Priority: Minor > Fix For: 1.1.0 > > Attachments: HBASE-12641-v1.diff > > > Currently in a secure cluster, only the master/regionserver kerberos user can > manage the znode of hbase. But he master/regionserver kerberos user is for > rpc connection and we usually use another super user to manage the cluster. > In some special scenarios, we need to manage the data of znode with the > supper user. > eg: > a, To get the data of the znode for debugging. > b, HBASE-8253: We need to delete the znode for the corrupted hlog to avoid it > block the replication. > So we grant all permissions of hbase zookeeper node to hbase superuser during > creating these znodes. > Suggestions are welcomed. > [~apurtell] -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-12641) Grant all permissions of hbase zookeeper node to hbase superuser in a secure cluster
[ https://issues.apache.org/jira/browse/HBASE-12641?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14249240#comment-14249240 ] stack commented on HBASE-12641: --- [~apurtell] You good w/ the above? > Grant all permissions of hbase zookeeper node to hbase superuser in a secure > cluster > > > Key: HBASE-12641 > URL: https://issues.apache.org/jira/browse/HBASE-12641 > Project: HBase > Issue Type: Improvement > Components: Zookeeper >Reporter: Liu Shaohui >Assignee: Liu Shaohui >Priority: Minor > Fix For: 1.0.0 > > Attachments: HBASE-12641-v1.diff > > > Currently in a secure cluster, only the master/regionserver kerberos user can > manage the znode of hbase. But he master/regionserver kerberos user is for > rpc connection and we usually use another super user to manage the cluster. > In some special scenarios, we need to manage the data of znode with the > supper user. > eg: > a, To get the data of the znode for debugging. > b, HBASE-8253: We need to delete the znode for the corrupted hlog to avoid it > block the replication. > So we grant all permissions of hbase zookeeper node to hbase superuser during > creating these znodes. > Suggestions are welcomed. > [~apurtell] -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-12641) Grant all permissions of hbase zookeeper node to hbase superuser in a secure cluster
[
https://issues.apache.org/jira/browse/HBASE-12641?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14248192#comment-14248192
]
Liu Shaohui commented on HBASE-12641:
-
[~apurtell]
{quote}
Why the 'if (!node.startsWith(zkw.baseZNode))' shortcut?
{quote}
See HBASE-7258: HBase will create the baseZNode recursively if the parent node
does not exist.
if zookeeper.znode.parent is /service/hbase/, we don't want set acl on node
/service when hbase creates this node.
So we add this shortcut.
> Grant all permissions of hbase zookeeper node to hbase superuser in a secure
> cluster
>
>
> Key: HBASE-12641
> URL: https://issues.apache.org/jira/browse/HBASE-12641
> Project: HBase
> Issue Type: Improvement
> Components: Zookeeper
>Reporter: Liu Shaohui
>Assignee: Liu Shaohui
>Priority: Minor
> Fix For: 1.0.0
>
> Attachments: HBASE-12641-v1.diff
>
>
> Currently in a secure cluster, only the master/regionserver kerberos user can
> manage the znode of hbase. But he master/regionserver kerberos user is for
> rpc connection and we usually use another super user to manage the cluster.
> In some special scenarios, we need to manage the data of znode with the
> supper user.
> eg:
> a, To get the data of the znode for debugging.
> b, HBASE-8253: We need to delete the znode for the corrupted hlog to avoid it
> block the replication.
> So we grant all permissions of hbase zookeeper node to hbase superuser during
> creating these znodes.
> Suggestions are welcomed.
> [~apurtell]
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (HBASE-12641) Grant all permissions of hbase zookeeper node to hbase superuser in a secure cluster
[
https://issues.apache.org/jira/browse/HBASE-12641?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14235885#comment-14235885
]
Andrew Purtell commented on HBASE-12641:
Sure this makes sense. We were not expecting that there would be "other"
superusers than the HBase service account needing to access znodes, but these
changes support that use case and seem fine, except:
{code}
--- hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
+++ hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
@@ -949,8 +951,17 @@ public class ZKUtil {
conf.get("hbase.zookeeper.client.keytab.file") != null);
}
- private static List createACL(ZooKeeperWatcher zkw, String node) {
+ private static ArrayList createACL(ZooKeeperWatcher zkw, String node) {
+if (!node.startsWith(zkw.baseZNode)) {
+ return Ids.OPEN_ACL_UNSAFE;
+}
if (isSecureZooKeeper(zkw.getConfiguration())) {
+ String superUser = zkw.getConfiguration().get("hbase.superuser");
+ ArrayList acls = new ArrayList();
+ // add permission to hbase supper user
+ if (superUser != null) {
+acls.add(new ACL(Perms.ALL, new Id("auth", superUser)));
+ }
// Certain znodes are accessed directly by the client,
// so they must be readable by non-authenticated clients
if ((node.equals(zkw.baseZNode) == true) ||
{code}
Why the 'if (!node.startsWith(zkw.baseZNode))' shortcut? If not
isSecureZooKeeper() then we will fall through and return OPEN_ACL_UNSAFE
anyway. If this is meant as part of handling when isSecureZooKeeper() is true,
then move the shortcut inside that conditional.
> Grant all permissions of hbase zookeeper node to hbase superuser in a secure
> cluster
>
>
> Key: HBASE-12641
> URL: https://issues.apache.org/jira/browse/HBASE-12641
> Project: HBase
> Issue Type: Improvement
> Components: Zookeeper
>Reporter: Liu Shaohui
>Assignee: Liu Shaohui
>Priority: Minor
> Fix For: 1.0.0
>
> Attachments: HBASE-12641-v1.diff
>
>
> Currently in a secure cluster, only the master/regionserver kerberos user can
> manage the znode of hbase. But he master/regionserver kerberos user is for
> rpc connection and we usually use another super user to manage the cluster.
> In some special scenarios, we need to manage the data of znode with the
> supper user.
> eg:
> a, To get the data of the znode for debugging.
> b, HBASE-8253: We need to delete the znode for the corrupted hlog to avoid it
> block the replication.
> So we grant all permissions of hbase zookeeper node to hbase superuser during
> creating these znodes.
> Suggestions are welcomed.
> [~apurtell]
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (HBASE-12641) Grant all permissions of hbase zookeeper node to hbase superuser in a secure cluster
[
https://issues.apache.org/jira/browse/HBASE-12641?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14235279#comment-14235279
]
Hadoop QA commented on HBASE-12641:
---
{color:red}-1 overall{color}. Here are the results of testing the latest
attachment
http://issues.apache.org/jira/secure/attachment/12685269/HBASE-12641-v1.diff
against master branch at commit 08754f2c431b829b0d6269bdb23284dd679ed8ca.
ATTACHMENT ID: 12685269
{color:green}+1 @author{color}. The patch does not contain any @author
tags.
{color:red}-1 tests included{color}. The patch doesn't appear to include
any new or modified tests.
Please justify why no new tests are needed for this
patch.
Also please list what manual steps were performed to
verify this patch.
{color:green}+1 javac{color}. The applied patch does not increase the
total number of javac compiler warnings.
{color:green}+1 javac{color}. The applied patch does not increase the
total number of javac compiler warnings.
{color:green}+1 javadoc{color}. The javadoc tool did not generate any
warning messages.
{color:red}-1 checkstyle{color}. The applied patch generated
2075 checkstyle errors (more than the master's current 2072 errors).
{color:green}+1 findbugs{color}. The patch does not introduce any new
Findbugs (version 2.0.3) warnings.
{color:green}+1 release audit{color}. The applied patch does not increase
the total number of release audit warnings.
{color:green}+1 lineLengths{color}. The patch does not introduce lines
longer than 100
{color:green}+1 site{color}. The mvn site goal succeeds with this patch.
{color:green}+1 core tests{color}. The patch passed unit tests in .
Test results:
https://builds.apache.org/job/PreCommit-HBASE-Build/11947//testReport/
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/11947//artifact/patchprocess/newPatchFindbugsWarningshbase-annotations.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/11947//artifact/patchprocess/newPatchFindbugsWarningshbase-protocol.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/11947//artifact/patchprocess/newPatchFindbugsWarningshbase-server.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/11947//artifact/patchprocess/newPatchFindbugsWarningshbase-prefix-tree.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/11947//artifact/patchprocess/newPatchFindbugsWarningshbase-common.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/11947//artifact/patchprocess/newPatchFindbugsWarningshbase-hadoop-compat.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/11947//artifact/patchprocess/newPatchFindbugsWarningshbase-client.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/11947//artifact/patchprocess/newPatchFindbugsWarningshbase-hadoop2-compat.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/11947//artifact/patchprocess/newPatchFindbugsWarningshbase-rest.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/11947//artifact/patchprocess/newPatchFindbugsWarningshbase-thrift.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/11947//artifact/patchprocess/newPatchFindbugsWarningshbase-examples.html
Checkstyle Errors:
https://builds.apache.org/job/PreCommit-HBASE-Build/11947//artifact/patchprocess/checkstyle-aggregate.html
Console output:
https://builds.apache.org/job/PreCommit-HBASE-Build/11947//console
This message is automatically generated.
> Grant all permissions of hbase zookeeper node to hbase superuser in a secure
> cluster
>
>
> Key: HBASE-12641
> URL: https://issues.apache.org/jira/browse/HBASE-12641
> Project: HBase
> Issue Type: Improvement
> Components: Zookeeper
>Reporter: Liu Shaohui
>Assignee: Liu Shaohui
>Priority: Minor
> Fix For: 1.0.0
>
> Attachments: HBASE-12641-v1.diff
>
>
> Currently in a secure cluster, only the master/regionserver kerberos user can
> manage the znode of hbase. But he master/regionserver kerberos user is for
> rpc connection and we usually use another super user to manage the cluster.
> In some special scenarios, we need to manage the data of znode with the
> supper user.
> eg:
> a, To get the data of the znode for debugging.
> b, HBASE-8253: We need to delete the znode for the corrupted hlog to avoid it
> block the replication.
> So we grant all permissions of hbase zookeeper node to hbase superuser during
> creating these znodes.
> Suggestions are welcomed.
> [~ap
