[jira] [Commented] (HBASE-15132) Master region merge RPC should authorize user request
[ https://issues.apache.org/jira/browse/HBASE-15132?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15116649#comment-15116649 ] Enis Soztutar commented on HBASE-15132: --- Yep, this is only needed for auditing. Not sure whether it is useful since we should already audit at the master. But no harm in executing the RPC as the request user. > Master region merge RPC should authorize user request > - > > Key: HBASE-15132 > URL: https://issues.apache.org/jira/browse/HBASE-15132 > Project: HBase > Issue Type: Bug >Reporter: Ted Yu >Assignee: Ted Yu > Fix For: 2.0.0, 1.3.0 > > Attachments: HBASE-15132-branch-1.v6.patch, HBASE-15132.v1.patch, > HBASE-15132.v2.patch, HBASE-15132.v4.patch, HBASE-15132.v5.patch, > HBASE-15132.v6.patch, HBASE-15132.v7.patch, HBASE-15132.v8.patch > > > The normal flow for region merge is: > 1. client sends a master RPC for dispatch merge regions > 2. master moves the regions to the same regionserver > 3. master calls mergeRegions RPC on the regionserver. > For user initiated region merge, MasterRpcServices#dispatchMergingRegions() > is called by HBaseAdmin. > There is no coprocessor invocation in step 1. > Step 3 is carried out in the "hbase" user context. > This leaves potential security hole - any user without proper authorization > can merge regions of any table. > Thanks to Enis who spotted this flaw first. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-15132) Master region merge RPC should authorize user request
[ https://issues.apache.org/jira/browse/HBASE-15132?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15116646#comment-15116646 ] Enis Soztutar commented on HBASE-15132: --- I think we cannot remove the AC in the regionserver side, otherwise, somebody can do the region merge with a direct call to regionserver, bypassing master. > Master region merge RPC should authorize user request > - > > Key: HBASE-15132 > URL: https://issues.apache.org/jira/browse/HBASE-15132 > Project: HBase > Issue Type: Bug >Reporter: Ted Yu >Assignee: Ted Yu > Fix For: 2.0.0, 1.3.0 > > Attachments: HBASE-15132-branch-1.v6.patch, HBASE-15132.v1.patch, > HBASE-15132.v2.patch, HBASE-15132.v4.patch, HBASE-15132.v5.patch, > HBASE-15132.v6.patch, HBASE-15132.v7.patch, HBASE-15132.v8.patch > > > The normal flow for region merge is: > 1. client sends a master RPC for dispatch merge regions > 2. master moves the regions to the same regionserver > 3. master calls mergeRegions RPC on the regionserver. > For user initiated region merge, MasterRpcServices#dispatchMergingRegions() > is called by HBaseAdmin. > There is no coprocessor invocation in step 1. > Step 3 is carried out in the "hbase" user context. > This leaves potential security hole - any user without proper authorization > can merge regions of any table. > Thanks to Enis who spotted this flaw first. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-15132) Master region merge RPC should authorize user request
[ https://issues.apache.org/jira/browse/HBASE-15132?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15116644#comment-15116644 ] Ted Yu commented on HBASE-15132: We need more work because from auditing point of view, user 'hbase' would be making RPC call to region server where the two regions reside. > Master region merge RPC should authorize user request > - > > Key: HBASE-15132 > URL: https://issues.apache.org/jira/browse/HBASE-15132 > Project: HBase > Issue Type: Bug >Reporter: Ted Yu >Assignee: Ted Yu > Fix For: 2.0.0, 1.3.0 > > Attachments: HBASE-15132-branch-1.v6.patch, HBASE-15132.v1.patch, > HBASE-15132.v2.patch, HBASE-15132.v4.patch, HBASE-15132.v5.patch, > HBASE-15132.v6.patch, HBASE-15132.v7.patch, HBASE-15132.v8.patch > > > The normal flow for region merge is: > 1. client sends a master RPC for dispatch merge regions > 2. master moves the regions to the same regionserver > 3. master calls mergeRegions RPC on the regionserver. > For user initiated region merge, MasterRpcServices#dispatchMergingRegions() > is called by HBaseAdmin. > There is no coprocessor invocation in step 1. > Step 3 is carried out in the "hbase" user context. > This leaves potential security hole - any user without proper authorization > can merge regions of any table. > Thanks to Enis who spotted this flaw first. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-15132) Master region merge RPC should authorize user request
[ https://issues.apache.org/jira/browse/HBASE-15132?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15116632#comment-15116632 ] Anoop Sam John commented on HBASE-15132: preMerge() impl in AC could have been removed as that will be of no use now. We missed that in this patch. > Master region merge RPC should authorize user request > - > > Key: HBASE-15132 > URL: https://issues.apache.org/jira/browse/HBASE-15132 > Project: HBase > Issue Type: Bug >Reporter: Ted Yu >Assignee: Ted Yu > Fix For: 2.0.0, 1.3.0 > > Attachments: HBASE-15132-branch-1.v6.patch, HBASE-15132.v1.patch, > HBASE-15132.v2.patch, HBASE-15132.v4.patch, HBASE-15132.v5.patch, > HBASE-15132.v6.patch, HBASE-15132.v7.patch, HBASE-15132.v8.patch > > > The normal flow for region merge is: > 1. client sends a master RPC for dispatch merge regions > 2. master moves the regions to the same regionserver > 3. master calls mergeRegions RPC on the regionserver. > For user initiated region merge, MasterRpcServices#dispatchMergingRegions() > is called by HBaseAdmin. > There is no coprocessor invocation in step 1. > Step 3 is carried out in the "hbase" user context. > This leaves potential security hole - any user without proper authorization > can merge regions of any table. > Thanks to Enis who spotted this flaw first. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-15132) Master region merge RPC should authorize user request
[ https://issues.apache.org/jira/browse/HBASE-15132?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15116630#comment-15116630 ] Anoop Sam John commented on HBASE-15132: Ya. Master side hooks gives a way to AC to do the auth check and do the early out and avoid the unwanted moves and RPCs. So from AC perspective this works right? Why we need more work now? > Master region merge RPC should authorize user request > - > > Key: HBASE-15132 > URL: https://issues.apache.org/jira/browse/HBASE-15132 > Project: HBase > Issue Type: Bug >Reporter: Ted Yu >Assignee: Ted Yu > Fix For: 2.0.0, 1.3.0 > > Attachments: HBASE-15132-branch-1.v6.patch, HBASE-15132.v1.patch, > HBASE-15132.v2.patch, HBASE-15132.v4.patch, HBASE-15132.v5.patch, > HBASE-15132.v6.patch, HBASE-15132.v7.patch, HBASE-15132.v8.patch > > > The normal flow for region merge is: > 1. client sends a master RPC for dispatch merge regions > 2. master moves the regions to the same regionserver > 3. master calls mergeRegions RPC on the regionserver. > For user initiated region merge, MasterRpcServices#dispatchMergingRegions() > is called by HBaseAdmin. > There is no coprocessor invocation in step 1. > Step 3 is carried out in the "hbase" user context. > This leaves potential security hole - any user without proper authorization > can merge regions of any table. > Thanks to Enis who spotted this flaw first. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-15132) Master region merge RPC should authorize user request
[ https://issues.apache.org/jira/browse/HBASE-15132?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15116348#comment-15116348 ] Ted Yu commented on HBASE-15132: Looking at the flow in JIRA description, I think there is more to be done for end to end case. Namely, mergeRegions RPC call in step 3 should be performed under request user credential. [~anoop.hbase] [~enis]: What do you think ? > Master region merge RPC should authorize user request > - > > Key: HBASE-15132 > URL: https://issues.apache.org/jira/browse/HBASE-15132 > Project: HBase > Issue Type: Bug >Reporter: Ted Yu >Assignee: Ted Yu > Fix For: 2.0.0, 1.3.0 > > Attachments: HBASE-15132-branch-1.v6.patch, HBASE-15132.v1.patch, > HBASE-15132.v2.patch, HBASE-15132.v4.patch, HBASE-15132.v5.patch, > HBASE-15132.v6.patch, HBASE-15132.v7.patch, HBASE-15132.v8.patch > > > The normal flow for region merge is: > 1. client sends a master RPC for dispatch merge regions > 2. master moves the regions to the same regionserver > 3. master calls mergeRegions RPC on the regionserver. > For user initiated region merge, MasterRpcServices#dispatchMergingRegions() > is called by HBaseAdmin. > There is no coprocessor invocation in step 1. > Step 3 is carried out in the "hbase" user context. > This leaves potential security hole - any user without proper authorization > can merge regions of any table. > Thanks to Enis who spotted this flaw first. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-15132) Master region merge RPC should authorize user request
[ https://issues.apache.org/jira/browse/HBASE-15132?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15116585#comment-15116585 ] Anoop Sam John commented on HBASE-15132: bq.Namely, mergeRegions RPC call in step 3 should be performed under request user credential. Then why we need the new master side hooks? That will any way handle the AC right? > Master region merge RPC should authorize user request > - > > Key: HBASE-15132 > URL: https://issues.apache.org/jira/browse/HBASE-15132 > Project: HBase > Issue Type: Bug >Reporter: Ted Yu >Assignee: Ted Yu > Fix For: 2.0.0, 1.3.0 > > Attachments: HBASE-15132-branch-1.v6.patch, HBASE-15132.v1.patch, > HBASE-15132.v2.patch, HBASE-15132.v4.patch, HBASE-15132.v5.patch, > HBASE-15132.v6.patch, HBASE-15132.v7.patch, HBASE-15132.v8.patch > > > The normal flow for region merge is: > 1. client sends a master RPC for dispatch merge regions > 2. master moves the regions to the same regionserver > 3. master calls mergeRegions RPC on the regionserver. > For user initiated region merge, MasterRpcServices#dispatchMergingRegions() > is called by HBaseAdmin. > There is no coprocessor invocation in step 1. > Step 3 is carried out in the "hbase" user context. > This leaves potential security hole - any user without proper authorization > can merge regions of any table. > Thanks to Enis who spotted this flaw first. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-15132) Master region merge RPC should authorize user request
[ https://issues.apache.org/jira/browse/HBASE-15132?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15116591#comment-15116591 ] Ted Yu commented on HBASE-15132: We need the master side hooks because otherwise unauthorized user can effectively move two regions, originally on different servers, onto the same server. > Master region merge RPC should authorize user request > - > > Key: HBASE-15132 > URL: https://issues.apache.org/jira/browse/HBASE-15132 > Project: HBase > Issue Type: Bug >Reporter: Ted Yu >Assignee: Ted Yu > Fix For: 2.0.0, 1.3.0 > > Attachments: HBASE-15132-branch-1.v6.patch, HBASE-15132.v1.patch, > HBASE-15132.v2.patch, HBASE-15132.v4.patch, HBASE-15132.v5.patch, > HBASE-15132.v6.patch, HBASE-15132.v7.patch, HBASE-15132.v8.patch > > > The normal flow for region merge is: > 1. client sends a master RPC for dispatch merge regions > 2. master moves the regions to the same regionserver > 3. master calls mergeRegions RPC on the regionserver. > For user initiated region merge, MasterRpcServices#dispatchMergingRegions() > is called by HBaseAdmin. > There is no coprocessor invocation in step 1. > Step 3 is carried out in the "hbase" user context. > This leaves potential security hole - any user without proper authorization > can merge regions of any table. > Thanks to Enis who spotted this flaw first. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-15132) Master region merge RPC should authorize user request
[ https://issues.apache.org/jira/browse/HBASE-15132?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15113902#comment-15113902 ] Hudson commented on HBASE-15132: SUCCESS: Integrated in HBase-1.3-IT #458 (See [https://builds.apache.org/job/HBase-1.3-IT/458/]) HBASE-15132 Master region merge RPC should authorize user request (tedyu: rev 63f4ba183a20330af833ca906afe4c81029d80a7) * hbase-server/src/main/java/org/apache/hadoop/hbase/coprocessor/BaseMasterObserver.java * hbase-server/src/main/java/org/apache/hadoop/hbase/coprocessor/MasterObserver.java * hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java * hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterCoprocessorHost.java * hbase-server/src/test/java/org/apache/hadoop/hbase/coprocessor/TestMasterObserver.java * hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java * hbase-server/src/main/java/org/apache/hadoop/hbase/coprocessor/BaseMasterAndRegionObserver.java > Master region merge RPC should authorize user request > - > > Key: HBASE-15132 > URL: https://issues.apache.org/jira/browse/HBASE-15132 > Project: HBase > Issue Type: Bug >Reporter: Ted Yu >Assignee: Ted Yu > Fix For: 2.0.0, 1.3.0 > > Attachments: HBASE-15132-branch-1.v6.patch, HBASE-15132.v1.patch, > HBASE-15132.v2.patch, HBASE-15132.v4.patch, HBASE-15132.v5.patch, > HBASE-15132.v6.patch, HBASE-15132.v7.patch, HBASE-15132.v8.patch > > > The normal flow for region merge is: > 1. client sends a master RPC for dispatch merge regions > 2. master moves the regions to the same regionserver > 3. master calls mergeRegions RPC on the regionserver. > For user initiated region merge, MasterRpcServices#dispatchMergingRegions() > is called by HBaseAdmin. > There is no coprocessor invocation in step 1. > Step 3 is carried out in the "hbase" user context. > This leaves potential security hole - any user without proper authorization > can merge regions of any table. > Thanks to Enis who spotted this flaw first. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-15132) Master region merge RPC should authorize user request
[ https://issues.apache.org/jira/browse/HBASE-15132?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15113925#comment-15113925 ] Hudson commented on HBASE-15132: FAILURE: Integrated in HBase-Trunk_matrix #657 (See [https://builds.apache.org/job/HBase-Trunk_matrix/657/]) HBASE-15132 Master region merge RPC should authorize user request (tedyu: rev 6ed3c759d0ee0549e7d9eb77fe71b39409f5e4d9) * hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java * hbase-server/src/main/java/org/apache/hadoop/hbase/coprocessor/MasterObserver.java * hbase-server/src/test/java/org/apache/hadoop/hbase/coprocessor/TestMasterObserver.java * hbase-server/src/main/java/org/apache/hadoop/hbase/coprocessor/BaseMasterAndRegionObserver.java * hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java * hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterCoprocessorHost.java * hbase-server/src/main/java/org/apache/hadoop/hbase/coprocessor/BaseMasterObserver.java > Master region merge RPC should authorize user request > - > > Key: HBASE-15132 > URL: https://issues.apache.org/jira/browse/HBASE-15132 > Project: HBase > Issue Type: Bug >Reporter: Ted Yu >Assignee: Ted Yu > Fix For: 2.0.0, 1.3.0 > > Attachments: HBASE-15132-branch-1.v6.patch, HBASE-15132.v1.patch, > HBASE-15132.v2.patch, HBASE-15132.v4.patch, HBASE-15132.v5.patch, > HBASE-15132.v6.patch, HBASE-15132.v7.patch, HBASE-15132.v8.patch > > > The normal flow for region merge is: > 1. client sends a master RPC for dispatch merge regions > 2. master moves the regions to the same regionserver > 3. master calls mergeRegions RPC on the regionserver. > For user initiated region merge, MasterRpcServices#dispatchMergingRegions() > is called by HBaseAdmin. > There is no coprocessor invocation in step 1. > Step 3 is carried out in the "hbase" user context. > This leaves potential security hole - any user without proper authorization > can merge regions of any table. > Thanks to Enis who spotted this flaw first. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-15132) Master region merge RPC should authorize user request
[ https://issues.apache.org/jira/browse/HBASE-15132?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15113890#comment-15113890 ] Hudson commented on HBASE-15132: SUCCESS: Integrated in HBase-1.3 #511 (See [https://builds.apache.org/job/HBase-1.3/511/]) HBASE-15132 Master region merge RPC should authorize user request (tedyu: rev 63f4ba183a20330af833ca906afe4c81029d80a7) * hbase-server/src/test/java/org/apache/hadoop/hbase/coprocessor/TestMasterObserver.java * hbase-server/src/main/java/org/apache/hadoop/hbase/coprocessor/BaseMasterAndRegionObserver.java * hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterRpcServices.java * hbase-server/src/main/java/org/apache/hadoop/hbase/coprocessor/MasterObserver.java * hbase-server/src/main/java/org/apache/hadoop/hbase/coprocessor/BaseMasterObserver.java * hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java * hbase-server/src/main/java/org/apache/hadoop/hbase/master/MasterCoprocessorHost.java > Master region merge RPC should authorize user request > - > > Key: HBASE-15132 > URL: https://issues.apache.org/jira/browse/HBASE-15132 > Project: HBase > Issue Type: Bug >Reporter: Ted Yu >Assignee: Ted Yu > Fix For: 2.0.0, 1.3.0 > > Attachments: HBASE-15132-branch-1.v6.patch, HBASE-15132.v1.patch, > HBASE-15132.v2.patch, HBASE-15132.v4.patch, HBASE-15132.v5.patch, > HBASE-15132.v6.patch, HBASE-15132.v7.patch, HBASE-15132.v8.patch > > > The normal flow for region merge is: > 1. client sends a master RPC for dispatch merge regions > 2. master moves the regions to the same regionserver > 3. master calls mergeRegions RPC on the regionserver. > For user initiated region merge, MasterRpcServices#dispatchMergingRegions() > is called by HBaseAdmin. > There is no coprocessor invocation in step 1. > Step 3 is carried out in the "hbase" user context. > This leaves potential security hole - any user without proper authorization > can merge regions of any table. > Thanks to Enis who spotted this flaw first. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-15132) Master region merge RPC should authorize user request
[
https://issues.apache.org/jira/browse/HBASE-15132?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15112933#comment-15112933
]
Hadoop QA commented on HBASE-15132:
---
| (x) *{color:red}-1 overall{color}* |
\\
\\
|| Vote || Subsystem || Runtime || Comment ||
| {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 0s
{color} | {color:blue} Docker mode activated. {color} |
| {color:green}+1{color} | {color:green} hbaseanti {color} | {color:green} 0m
0s {color} | {color:green} Patch does not have any anti-patterns. {color} |
| {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s
{color} | {color:green} The patch does not contain any @author tags. {color} |
| {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m
0s {color} | {color:green} The patch appears to include 1 new or modified test
files. {color} |
| {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 4m
8s {color} | {color:green} branch-1 passed {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m 44s
{color} | {color:green} branch-1 passed with JDK v1.8.0_66 {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m 37s
{color} | {color:green} branch-1 passed with JDK v1.7.0_91 {color} |
| {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m
21s {color} | {color:green} branch-1 passed {color} |
| {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 0m
21s {color} | {color:green} branch-1 passed {color} |
| {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 2m 8s
{color} | {color:green} branch-1 passed {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 42s
{color} | {color:green} branch-1 passed with JDK v1.8.0_66 {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 39s
{color} | {color:green} branch-1 passed with JDK v1.7.0_91 {color} |
| {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 0m
49s {color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m 44s
{color} | {color:green} the patch passed with JDK v1.8.0_66 {color} |
| {color:green}+1{color} | {color:green} javac {color} | {color:green} 0m 44s
{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m 37s
{color} | {color:green} the patch passed with JDK v1.7.0_91 {color} |
| {color:green}+1{color} | {color:green} javac {color} | {color:green} 0m 37s
{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m
17s {color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 0m
18s {color} | {color:green} the patch passed {color} |
| {color:red}-1{color} | {color:red} whitespace {color} | {color:red} 0m 0s
{color} | {color:red} The patch has 2 line(s) that end in whitespace. Use git
apply --whitespace=fix. {color} |
| {color:green}+1{color} | {color:green} hadoopcheck {color} | {color:green} 4m
49s {color} | {color:green} Patch does not cause any errors with Hadoop 2.4.1
2.5.2 2.6.0. {color} |
| {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 2m
22s {color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 38s
{color} | {color:green} the patch passed with JDK v1.8.0_66 {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 39s
{color} | {color:green} the patch passed with JDK v1.7.0_91 {color} |
| {color:red}-1{color} | {color:red} unit {color} | {color:red} 108m 57s
{color} | {color:red} hbase-server in the patch failed with JDK v1.8.0_66.
{color} |
| {color:red}-1{color} | {color:red} unit {color} | {color:red} 103m 16s
{color} | {color:red} hbase-server in the patch failed with JDK v1.7.0_91.
{color} |
| {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m
19s {color} | {color:green} Patch does not generate ASF License warnings.
{color} |
| {color:black}{color} | {color:black} {color} | {color:black} 234m 0s {color}
| {color:black} {color} |
\\
\\
|| Reason || Tests ||
| JDK v1.8.0_66 Failed junit tests |
hadoop.hbase.master.procedure.TestModifyNamespaceProcedure |
| JDK v1.7.0_91 Failed junit tests | hadoop.hbase.mapreduce.TestImportExport |
\\
\\
|| Subsystem || Report/Notes ||
| Docker | Client=1.9.1 Server=1.9.1 Image:yetus/hbase:date2016-01-22 |
| JIRA Patch URL |
https://issues.apache.org/jira/secure/attachment/12783843/HBASE-15132-branch-1.v6.patch
|
| JIRA Issue | HBASE-15132 |
| Optional Tests | asflicense javac javadoc unit findbugs hadoopcheck
hbaseanti checkstyle
[jira] [Commented] (HBASE-15132) Master region merge RPC should authorize user request
[ https://issues.apache.org/jira/browse/HBASE-15132?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15112925#comment-15112925 ] Enis Soztutar commented on HBASE-15132: --- I was checking why we are not wrapping the post call with doAs() as well. I think the doAs in the pre is not needed at all, since the handler is already in user context, no? > Master region merge RPC should authorize user request > - > > Key: HBASE-15132 > URL: https://issues.apache.org/jira/browse/HBASE-15132 > Project: HBase > Issue Type: Bug >Reporter: Ted Yu >Assignee: Ted Yu > Attachments: HBASE-15132-branch-1.v6.patch, HBASE-15132.v1.patch, > HBASE-15132.v2.patch, HBASE-15132.v4.patch, HBASE-15132.v5.patch, > HBASE-15132.v6.patch > > > The normal flow for region merge is: > 1. client sends a master RPC for dispatch merge regions > 2. master moves the regions to the same regionserver > 3. master calls mergeRegions RPC on the regionserver. > For user initiated region merge, MasterRpcServices#dispatchMergingRegions() > is called by HBaseAdmin. > There is no coprocessor invocation in step 1. > Step 3 is carried out in the "hbase" user context. > This leaves potential security hole - any user without proper authorization > can merge regions of any table. > Thanks to Enis who spotted this flaw first. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-15132) Master region merge RPC should authorize user request
[ https://issues.apache.org/jira/browse/HBASE-15132?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15112954#comment-15112954 ] Ted Yu commented on HBASE-15132: w.r.t. test failure in TestModifyNamespaceProcedure, the patch is not related to either namespace nor procedure V2. I ran it locally and it passed. > Master region merge RPC should authorize user request > - > > Key: HBASE-15132 > URL: https://issues.apache.org/jira/browse/HBASE-15132 > Project: HBase > Issue Type: Bug >Reporter: Ted Yu >Assignee: Ted Yu > Attachments: HBASE-15132-branch-1.v6.patch, HBASE-15132.v1.patch, > HBASE-15132.v2.patch, HBASE-15132.v4.patch, HBASE-15132.v5.patch, > HBASE-15132.v6.patch > > > The normal flow for region merge is: > 1. client sends a master RPC for dispatch merge regions > 2. master moves the regions to the same regionserver > 3. master calls mergeRegions RPC on the regionserver. > For user initiated region merge, MasterRpcServices#dispatchMergingRegions() > is called by HBaseAdmin. > There is no coprocessor invocation in step 1. > Step 3 is carried out in the "hbase" user context. > This leaves potential security hole - any user without proper authorization > can merge regions of any table. > Thanks to Enis who spotted this flaw first. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-15132) Master region merge RPC should authorize user request
[
https://issues.apache.org/jira/browse/HBASE-15132?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15112949#comment-15112949
]
Ted Yu commented on HBASE-15132:
bq. since the handler is already in user context, no?
I don't think so.
Here is the stack trace:
{code}
MasterRpcServices.dispatchMergingRegions(RpcController,
MasterProtos$DispatchMergingRegionsRequest) line: 531
MasterProtos$MasterService$2.callBlockingMethod(Descriptors$MethodDescriptor,
RpcController, Message) line: 58210
RpcServer.call(BlockingService, MethodDescriptor, Message, CellScanner, long,
MonitoredRPCHandler) line: 2231
CallRunner.run() line: 109
BalancedQueueRpcExecutor(RpcExecutor).consumerLoop(BlockingQueue)
line: 133
RpcExecutor$1.run() line: 108
Thread.run() line: 745
{code}
> Master region merge RPC should authorize user request
> -
>
> Key: HBASE-15132
> URL: https://issues.apache.org/jira/browse/HBASE-15132
> Project: HBase
> Issue Type: Bug
>Reporter: Ted Yu
>Assignee: Ted Yu
> Attachments: HBASE-15132-branch-1.v6.patch, HBASE-15132.v1.patch,
> HBASE-15132.v2.patch, HBASE-15132.v4.patch, HBASE-15132.v5.patch,
> HBASE-15132.v6.patch
>
>
> The normal flow for region merge is:
> 1. client sends a master RPC for dispatch merge regions
> 2. master moves the regions to the same regionserver
> 3. master calls mergeRegions RPC on the regionserver.
> For user initiated region merge, MasterRpcServices#dispatchMergingRegions()
> is called by HBaseAdmin.
> There is no coprocessor invocation in step 1.
> Step 3 is carried out in the "hbase" user context.
> This leaves potential security hole - any user without proper authorization
> can merge regions of any table.
> Thanks to Enis who spotted this flaw first.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (HBASE-15132) Master region merge RPC should authorize user request
[
https://issues.apache.org/jira/browse/HBASE-15132?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15112092#comment-15112092
]
Hadoop QA commented on HBASE-15132:
---
| (x) *{color:red}-1 overall{color}* |
\\
\\
|| Vote || Subsystem || Runtime || Comment ||
| {color:green}+1{color} | {color:green} hbaseanti {color} | {color:green} 0m
0s {color} | {color:green} Patch does not have any anti-patterns. {color} |
| {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s
{color} | {color:green} The patch does not contain any @author tags. {color} |
| {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m
0s {color} | {color:green} The patch appears to include 1 new or modified test
files. {color} |
| {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 2m
38s {color} | {color:green} master passed {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m 40s
{color} | {color:green} master passed with JDK v1.8.0 {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m 32s
{color} | {color:green} master passed with JDK v1.7.0_79 {color} |
| {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 4m
20s {color} | {color:green} master passed {color} |
| {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 0m
15s {color} | {color:green} master passed {color} |
| {color:red}-1{color} | {color:red} findbugs {color} | {color:red} 1m 52s
{color} | {color:red} hbase-server in master has 1 extant Findbugs warnings.
{color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 26s
{color} | {color:green} master passed with JDK v1.8.0 {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 31s
{color} | {color:green} master passed with JDK v1.7.0_79 {color} |
| {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 0m
46s {color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m 38s
{color} | {color:green} the patch passed with JDK v1.8.0 {color} |
| {color:green}+1{color} | {color:green} javac {color} | {color:green} 0m 38s
{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m 34s
{color} | {color:green} the patch passed with JDK v1.7.0_79 {color} |
| {color:green}+1{color} | {color:green} javac {color} | {color:green} 0m 34s
{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 4m
11s {color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 0m
15s {color} | {color:green} the patch passed {color} |
| {color:red}-1{color} | {color:red} whitespace {color} | {color:red} 0m 0s
{color} | {color:red} The patch has 2 line(s) that end in whitespace. Use git
apply --whitespace=fix. {color} |
| {color:green}+1{color} | {color:green} hadoopcheck {color} | {color:green}
21m 40s {color} | {color:green} Patch does not cause any errors with Hadoop
2.4.0 2.4.1 2.5.0 2.5.1 2.5.2 2.6.1 2.6.2 2.6.3 2.7.1. {color} |
| {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 2m 1s
{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 25s
{color} | {color:green} the patch passed with JDK v1.8.0 {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 32s
{color} | {color:green} the patch passed with JDK v1.7.0_79 {color} |
| {color:green}+1{color} | {color:green} unit {color} | {color:green} 100m 24s
{color} | {color:green} hbase-server in the patch passed with JDK v1.8.0.
{color} |
| {color:green}+1{color} | {color:green} unit {color} | {color:green} 96m 30s
{color} | {color:green} hbase-server in the patch passed with JDK v1.7.0_79.
{color} |
| {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m
15s {color} | {color:green} Patch does not generate ASF License warnings.
{color} |
| {color:black}{color} | {color:black} {color} | {color:black} 239m 45s {color}
| {color:black} {color} |
\\
\\
|| Subsystem || Report/Notes ||
| JIRA Patch URL |
https://issues.apache.org/jira/secure/attachment/12783745/HBASE-15132.v6.patch |
| JIRA Issue | HBASE-15132 |
| Optional Tests | asflicense javac javadoc unit findbugs hadoopcheck
hbaseanti checkstyle compile |
| uname | Linux asf905.gq1.ygridcore.net 3.13.0-36-lowlatency #63-Ubuntu SMP
PREEMPT Wed Sep 3 21:56:12 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux |
| Build tool | maven |
| Personality |
/home/jenkins/jenkins-slave/workspace/PreCommit-HBASE-Build/component/dev-support/hbase-personality.sh
|
| git revision | master / b6f091e |
| findbugs | v3.0.0
[jira] [Commented] (HBASE-15132) Master region merge RPC should authorize user request
[
https://issues.apache.org/jira/browse/HBASE-15132?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15113604#comment-15113604
]
Hadoop QA commented on HBASE-15132:
---
| (x) *{color:red}-1 overall{color}* |
\\
\\
|| Vote || Subsystem || Runtime || Comment ||
| {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 0s
{color} | {color:blue} Docker mode activated. {color} |
| {color:green}+1{color} | {color:green} hbaseanti {color} | {color:green} 0m
0s {color} | {color:green} Patch does not have any anti-patterns. {color} |
| {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s
{color} | {color:green} The patch does not contain any @author tags. {color} |
| {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m
0s {color} | {color:green} The patch appears to include 1 new or modified test
files. {color} |
| {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 2m
26s {color} | {color:green} master passed {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m 36s
{color} | {color:green} master passed with JDK v1.8.0_66 {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m 34s
{color} | {color:green} master passed with JDK v1.7.0_91 {color} |
| {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 3m
52s {color} | {color:green} master passed {color} |
| {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 0m
16s {color} | {color:green} master passed {color} |
| {color:red}-1{color} | {color:red} findbugs {color} | {color:red} 1m 52s
{color} | {color:red} hbase-server in master has 1 extant Findbugs warnings.
{color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 29s
{color} | {color:green} master passed with JDK v1.8.0_66 {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 34s
{color} | {color:green} master passed with JDK v1.7.0_91 {color} |
| {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 0m
46s {color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m 36s
{color} | {color:green} the patch passed with JDK v1.8.0_66 {color} |
| {color:green}+1{color} | {color:green} javac {color} | {color:green} 0m 36s
{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m 34s
{color} | {color:green} the patch passed with JDK v1.7.0_91 {color} |
| {color:green}+1{color} | {color:green} javac {color} | {color:green} 0m 34s
{color} | {color:green} the patch passed {color} |
| {color:red}-1{color} | {color:red} checkstyle {color} | {color:red} 4m 16s
{color} | {color:red} Patch generated 1 new checkstyle issues in hbase-server
(total was 123, now 124). {color} |
| {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 0m
16s {color} | {color:green} the patch passed {color} |
| {color:red}-1{color} | {color:red} whitespace {color} | {color:red} 0m 0s
{color} | {color:red} The patch has 2 line(s) that end in whitespace. Use git
apply --whitespace=fix. {color} |
| {color:green}+1{color} | {color:green} hadoopcheck {color} | {color:green}
21m 39s {color} | {color:green} Patch does not cause any errors with Hadoop
2.4.0 2.4.1 2.5.0 2.5.1 2.5.2 2.6.1 2.6.2 2.6.3 2.7.1. {color} |
| {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 2m 0s
{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 30s
{color} | {color:green} the patch passed with JDK v1.8.0_66 {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 32s
{color} | {color:green} the patch passed with JDK v1.7.0_91 {color} |
| {color:green}+1{color} | {color:green} unit {color} | {color:green} 96m 20s
{color} | {color:green} hbase-server in the patch passed with JDK v1.8.0_66.
{color} |
| {color:green}+1{color} | {color:green} unit {color} | {color:green} 108m 37s
{color} | {color:green} hbase-server in the patch passed with JDK v1.7.0_91.
{color} |
| {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m
13s {color} | {color:green} Patch does not generate ASF License warnings.
{color} |
| {color:black}{color} | {color:black} {color} | {color:black} 247m 20s {color}
| {color:black} {color} |
\\
\\
|| Subsystem || Report/Notes ||
| Docker | Client=1.9.1 Server=1.9.1 Image:yetus/hbase:date2016-01-23 |
| JIRA Patch URL |
https://issues.apache.org/jira/secure/attachment/12783972/HBASE-15132.v8.patch |
| JIRA Issue | HBASE-15132 |
| Optional Tests | asflicense javac javadoc unit findbugs hadoopcheck
hbaseanti checkstyle compile |
| uname | Linux b3aa04d663ca 3.13.0-36-lowlatency #63-Ubuntu SMP PREEMPT
[jira] [Commented] (HBASE-15132) Master region merge RPC should authorize user request
[
https://issues.apache.org/jira/browse/HBASE-15132?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15113449#comment-15113449
]
Enis Soztutar commented on HBASE-15132:
---
bq. I don't think so.
bq. Here is the stack trace:
The stack trace will not contain the User.doAs() necessarily. We find the
request user like this:
{code}
private User getActiveUser() throws IOException {
User user = RpcServer.getRequestUser();
if (user == null) {
// for non-rpc handling, fallback to system user
user = userProvider.getCurrent();
}
return user;
}
{code}
So in the MasterRPCServices the request running inside a handler will already
contain the required User information from the RPC layer.
> Master region merge RPC should authorize user request
> -
>
> Key: HBASE-15132
> URL: https://issues.apache.org/jira/browse/HBASE-15132
> Project: HBase
> Issue Type: Bug
>Reporter: Ted Yu
>Assignee: Ted Yu
> Attachments: HBASE-15132-branch-1.v6.patch, HBASE-15132.v1.patch,
> HBASE-15132.v2.patch, HBASE-15132.v4.patch, HBASE-15132.v5.patch,
> HBASE-15132.v6.patch, HBASE-15132.v7.patch
>
>
> The normal flow for region merge is:
> 1. client sends a master RPC for dispatch merge regions
> 2. master moves the regions to the same regionserver
> 3. master calls mergeRegions RPC on the regionserver.
> For user initiated region merge, MasterRpcServices#dispatchMergingRegions()
> is called by HBaseAdmin.
> There is no coprocessor invocation in step 1.
> Step 3 is carried out in the "hbase" user context.
> This leaves potential security hole - any user without proper authorization
> can merge regions of any table.
> Thanks to Enis who spotted this flaw first.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (HBASE-15132) Master region merge RPC should authorize user request
[
https://issues.apache.org/jira/browse/HBASE-15132?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15113458#comment-15113458
]
Hadoop QA commented on HBASE-15132:
---
| (x) *{color:red}-1 overall{color}* |
\\
\\
|| Vote || Subsystem || Runtime || Comment ||
| {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 0s
{color} | {color:blue} Docker mode activated. {color} |
| {color:green}+1{color} | {color:green} hbaseanti {color} | {color:green} 0m
0s {color} | {color:green} Patch does not have any anti-patterns. {color} |
| {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s
{color} | {color:green} The patch does not contain any @author tags. {color} |
| {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m
0s {color} | {color:green} The patch appears to include 1 new or modified test
files. {color} |
| {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 2m
36s {color} | {color:green} master passed {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m 51s
{color} | {color:green} master passed with JDK v1.8.0_66 {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m 48s
{color} | {color:green} master passed with JDK v1.7.0_91 {color} |
| {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 4m
9s {color} | {color:green} master passed {color} |
| {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 0m
27s {color} | {color:green} master passed {color} |
| {color:red}-1{color} | {color:red} findbugs {color} | {color:red} 2m 53s
{color} | {color:red} hbase-server in master has 1 extant Findbugs warnings.
{color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 1m 3s
{color} | {color:green} master passed with JDK v1.8.0_66 {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 55s
{color} | {color:green} master passed with JDK v1.7.0_91 {color} |
| {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 0m
50s {color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m 54s
{color} | {color:green} the patch passed with JDK v1.8.0_66 {color} |
| {color:green}+1{color} | {color:green} javac {color} | {color:green} 0m 54s
{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m 50s
{color} | {color:green} the patch passed with JDK v1.7.0_91 {color} |
| {color:green}+1{color} | {color:green} javac {color} | {color:green} 0m 50s
{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 4m
41s {color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 0m
25s {color} | {color:green} the patch passed {color} |
| {color:red}-1{color} | {color:red} whitespace {color} | {color:red} 0m 0s
{color} | {color:red} The patch has 2 line(s) that end in whitespace. Use git
apply --whitespace=fix. {color} |
| {color:green}+1{color} | {color:green} hadoopcheck {color} | {color:green}
23m 51s {color} | {color:green} Patch does not cause any errors with Hadoop
2.4.0 2.4.1 2.5.0 2.5.1 2.5.2 2.6.1 2.6.2 2.6.3 2.7.1. {color} |
| {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 2m 6s
{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 31s
{color} | {color:green} the patch passed with JDK v1.8.0_66 {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 33s
{color} | {color:green} the patch passed with JDK v1.7.0_91 {color} |
| {color:green}+1{color} | {color:green} unit {color} | {color:green} 101m 8s
{color} | {color:green} hbase-server in the patch passed with JDK v1.8.0_66.
{color} |
| {color:green}+1{color} | {color:green} unit {color} | {color:green} 88m 3s
{color} | {color:green} hbase-server in the patch passed with JDK v1.7.0_91.
{color} |
| {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m
14s {color} | {color:green} Patch does not generate ASF License warnings.
{color} |
| {color:black}{color} | {color:black} {color} | {color:black} 238m 17s {color}
| {color:black} {color} |
\\
\\
|| Subsystem || Report/Notes ||
| Docker | Client=1.9.1 Server=1.9.1 Image:yetus/hbase:date2016-01-22 |
| JIRA Patch URL |
https://issues.apache.org/jira/secure/attachment/12783920/HBASE-15132.v7.patch |
| JIRA Issue | HBASE-15132 |
| Optional Tests | asflicense javac javadoc unit findbugs hadoopcheck
hbaseanti checkstyle compile |
| uname | Linux d326d1749e15 3.13.0-36-lowlatency #63-Ubuntu SMP PREEMPT Wed
Sep 3 21:56:12 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux |
[jira] [Commented] (HBASE-15132) Master region merge RPC should authorize user request
[ https://issues.apache.org/jira/browse/HBASE-15132?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15113510#comment-15113510 ] Enis Soztutar commented on HBASE-15132: --- Thanks Ted. +1. > Master region merge RPC should authorize user request > - > > Key: HBASE-15132 > URL: https://issues.apache.org/jira/browse/HBASE-15132 > Project: HBase > Issue Type: Bug >Reporter: Ted Yu >Assignee: Ted Yu > Attachments: HBASE-15132-branch-1.v6.patch, HBASE-15132.v1.patch, > HBASE-15132.v2.patch, HBASE-15132.v4.patch, HBASE-15132.v5.patch, > HBASE-15132.v6.patch, HBASE-15132.v7.patch, HBASE-15132.v8.patch > > > The normal flow for region merge is: > 1. client sends a master RPC for dispatch merge regions > 2. master moves the regions to the same regionserver > 3. master calls mergeRegions RPC on the regionserver. > For user initiated region merge, MasterRpcServices#dispatchMergingRegions() > is called by HBaseAdmin. > There is no coprocessor invocation in step 1. > Step 3 is carried out in the "hbase" user context. > This leaves potential security hole - any user without proper authorization > can merge regions of any table. > Thanks to Enis who spotted this flaw first. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-15132) Master region merge RPC should authorize user request
[
https://issues.apache.org/jira/browse/HBASE-15132?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15110529#comment-15110529
]
Anoop Sam John commented on HBASE-15132:
Implement new method in BaseMasterAndRegionObserver also so that don't have to
do dummy impl in VisibilityController.
We don't want a post hook?
bq.Call {@link org.apache.hadoop.hbase.coprocessor.ObserverContext#bypass()} to
skip the merge.
Doc says bypass is having effect but the code is not considering that.
{code}
if (User.isHBaseSecurityEnabled(master.getConfiguration())) {
531 User user = RpcServer.getRequestUser();
532 try {
533 user.getUGI().doAs(new PrivilegedExceptionAction() {
534 @Override
535 public Void run() throws Exception {
536 master.cpHost.preMerge(regionInfoA, regionInfoB);
537 return null;
538 }
539 });
{code}
When a hook is added, it must be called irrespective of security is enabled or
not.
This flow will be executed by the normal RPC user who called merge() right?
Still do we need this doAs way?
> Master region merge RPC should authorize user request
> -
>
> Key: HBASE-15132
> URL: https://issues.apache.org/jira/browse/HBASE-15132
> Project: HBase
> Issue Type: Bug
>Reporter: Ted Yu
>Assignee: Ted Yu
> Attachments: HBASE-15132.v1.patch
>
>
> The normal flow for region merge is:
> 1. client sends a master RPC for dispatch merge regions
> 2. master moves the regions to the same regionserver
> 3. master calls mergeRegions RPC on the regionserver.
> For user initiated region merge, MasterRpcServices#dispatchMergingRegions()
> is called by HBaseAdmin.
> There is no coprocessor invocation in step 1.
> Step 3 is carried out in the "hbase" user context.
> This leaves potential security hole - any user without proper authorization
> can merge regions of any table.
> Thanks to Enis who spotted this flaw first.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (HBASE-15132) Master region merge RPC should authorize user request
[ https://issues.apache.org/jira/browse/HBASE-15132?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15111080#comment-15111080 ] Enis Soztutar commented on HBASE-15132: --- bq. I am not aware of use case which needs the post hook. When the requirement comes, we can add later. We should stick with the standard coprocessor pattern. Always add preXXX() and postXXX() please. I think the method name should be preDispatchMerge() or preDispatchRegionMerge(). We already have preMerge() in the regionserver coprocessor. > Master region merge RPC should authorize user request > - > > Key: HBASE-15132 > URL: https://issues.apache.org/jira/browse/HBASE-15132 > Project: HBase > Issue Type: Bug >Reporter: Ted Yu >Assignee: Ted Yu > Attachments: HBASE-15132.v1.patch, HBASE-15132.v2.patch > > > The normal flow for region merge is: > 1. client sends a master RPC for dispatch merge regions > 2. master moves the regions to the same regionserver > 3. master calls mergeRegions RPC on the regionserver. > For user initiated region merge, MasterRpcServices#dispatchMergingRegions() > is called by HBaseAdmin. > There is no coprocessor invocation in step 1. > Step 3 is carried out in the "hbase" user context. > This leaves potential security hole - any user without proper authorization > can merge regions of any table. > Thanks to Enis who spotted this flaw first. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-15132) Master region merge RPC should authorize user request
[ https://issues.apache.org/jira/browse/HBASE-15132?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15111088#comment-15111088 ] Enis Soztutar commented on HBASE-15132: --- Can you also add a unit test as well. We unfortunately do not have end-to-end test coverage of the ACLs yet, so I do not want to block the patch for adding one. However, maybe we can do a manual test at least. > Master region merge RPC should authorize user request > - > > Key: HBASE-15132 > URL: https://issues.apache.org/jira/browse/HBASE-15132 > Project: HBase > Issue Type: Bug >Reporter: Ted Yu >Assignee: Ted Yu > Attachments: HBASE-15132.v1.patch, HBASE-15132.v2.patch > > > The normal flow for region merge is: > 1. client sends a master RPC for dispatch merge regions > 2. master moves the regions to the same regionserver > 3. master calls mergeRegions RPC on the regionserver. > For user initiated region merge, MasterRpcServices#dispatchMergingRegions() > is called by HBaseAdmin. > There is no coprocessor invocation in step 1. > Step 3 is carried out in the "hbase" user context. > This leaves potential security hole - any user without proper authorization > can merge regions of any table. > Thanks to Enis who spotted this flaw first. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-15132) Master region merge RPC should authorize user request
[ https://issues.apache.org/jira/browse/HBASE-15132?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15110937#comment-15110937 ] Ted Yu commented on HBASE-15132: bq. We don't want a post hook? I am not aware of use case which needs the post hook. When the requirement comes, we can add later. The rest of review comments are addressed in patch v2. > Master region merge RPC should authorize user request > - > > Key: HBASE-15132 > URL: https://issues.apache.org/jira/browse/HBASE-15132 > Project: HBase > Issue Type: Bug >Reporter: Ted Yu >Assignee: Ted Yu > Attachments: HBASE-15132.v1.patch > > > The normal flow for region merge is: > 1. client sends a master RPC for dispatch merge regions > 2. master moves the regions to the same regionserver > 3. master calls mergeRegions RPC on the regionserver. > For user initiated region merge, MasterRpcServices#dispatchMergingRegions() > is called by HBaseAdmin. > There is no coprocessor invocation in step 1. > Step 3 is carried out in the "hbase" user context. > This leaves potential security hole - any user without proper authorization > can merge regions of any table. > Thanks to Enis who spotted this flaw first. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-15132) Master region merge RPC should authorize user request
[
https://issues.apache.org/jira/browse/HBASE-15132?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15111337#comment-15111337
]
Hadoop QA commented on HBASE-15132:
---
| (x) *{color:red}-1 overall{color}* |
\\
\\
|| Vote || Subsystem || Runtime || Comment ||
| {color:green}+1{color} | {color:green} hbaseanti {color} | {color:green} 0m
0s {color} | {color:green} Patch does not have any anti-patterns. {color} |
| {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s
{color} | {color:green} The patch does not contain any @author tags. {color} |
| {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m
0s {color} | {color:green} The patch appears to include 1 new or modified test
files. {color} |
| {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 2m
59s {color} | {color:green} master passed {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m 48s
{color} | {color:green} master passed with JDK v1.8.0 {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m 37s
{color} | {color:green} master passed with JDK v1.7.0_79 {color} |
| {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 4m
45s {color} | {color:green} master passed {color} |
| {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 0m
18s {color} | {color:green} master passed {color} |
| {color:red}-1{color} | {color:red} findbugs {color} | {color:red} 2m 15s
{color} | {color:red} hbase-server in master has 1 extant Findbugs warnings.
{color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 36s
{color} | {color:green} master passed with JDK v1.8.0 {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 42s
{color} | {color:green} master passed with JDK v1.7.0_79 {color} |
| {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 0m
52s {color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m 53s
{color} | {color:green} the patch passed with JDK v1.8.0 {color} |
| {color:green}+1{color} | {color:green} javac {color} | {color:green} 0m 53s
{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m 37s
{color} | {color:green} the patch passed with JDK v1.7.0_79 {color} |
| {color:green}+1{color} | {color:green} javac {color} | {color:green} 0m 37s
{color} | {color:green} the patch passed {color} |
| {color:red}-1{color} | {color:red} checkstyle {color} | {color:red} 4m 54s
{color} | {color:red} Patch generated 4 new checkstyle issues in hbase-server
(total was 123, now 127). {color} |
| {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 0m
19s {color} | {color:green} the patch passed {color} |
| {color:red}-1{color} | {color:red} whitespace {color} | {color:red} 0m 0s
{color} | {color:red} The patch has 1 line(s) that end in whitespace. Use git
apply --whitespace=fix. {color} |
| {color:green}+1{color} | {color:green} hadoopcheck {color} | {color:green}
23m 57s {color} | {color:green} Patch does not cause any errors with Hadoop
2.4.0 2.4.1 2.5.0 2.5.1 2.5.2 2.6.1 2.6.2 2.6.3 2.7.1. {color} |
| {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 2m
32s {color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 38s
{color} | {color:green} the patch passed with JDK v1.8.0 {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 38s
{color} | {color:green} the patch passed with JDK v1.7.0_79 {color} |
| {color:red}-1{color} | {color:red} unit {color} | {color:red} 105m 46s
{color} | {color:red} hbase-server in the patch failed with JDK v1.8.0. {color}
|
| {color:green}+1{color} | {color:green} unit {color} | {color:green} 93m 22s
{color} | {color:green} hbase-server in the patch passed with JDK v1.7.0_79.
{color} |
| {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m
15s {color} | {color:green} Patch does not generate ASF License warnings.
{color} |
| {color:black}{color} | {color:black} {color} | {color:black} 248m 5s {color}
| {color:black} {color} |
\\
\\
|| Subsystem || Report/Notes ||
| JIRA Patch URL |
https://issues.apache.org/jira/secure/attachment/12783613/HBASE-15132.v2.patch |
| JIRA Issue | HBASE-15132 |
| Optional Tests | asflicense javac javadoc unit findbugs hadoopcheck
hbaseanti checkstyle compile |
| uname | Linux asf906.gq1.ygridcore.net 3.13.0-36-lowlatency #63-Ubuntu SMP
PREEMPT Wed Sep 3 21:56:12 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux |
| Build tool | maven |
| Personality |
/home/jenkins/jenkins-slave/workspace/PreCommit-HBASE-Build/component/dev-support/hbase-personality.sh
|
| git
[jira] [Commented] (HBASE-15132) Master region merge RPC should authorize user request
[
https://issues.apache.org/jira/browse/HBASE-15132?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15111799#comment-15111799
]
Hadoop QA commented on HBASE-15132:
---
| (x) *{color:red}-1 overall{color}* |
\\
\\
|| Vote || Subsystem || Runtime || Comment ||
| {color:green}+1{color} | {color:green} hbaseanti {color} | {color:green} 0m
0s {color} | {color:green} Patch does not have any anti-patterns. {color} |
| {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s
{color} | {color:green} The patch does not contain any @author tags. {color} |
| {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m
0s {color} | {color:green} The patch appears to include 1 new or modified test
files. {color} |
| {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 3m
9s {color} | {color:green} master passed {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m 47s
{color} | {color:green} master passed with JDK v1.8.0 {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m 39s
{color} | {color:green} master passed with JDK v1.7.0_79 {color} |
| {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 4m
53s {color} | {color:green} master passed {color} |
| {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 0m
18s {color} | {color:green} master passed {color} |
| {color:red}-1{color} | {color:red} findbugs {color} | {color:red} 2m 20s
{color} | {color:red} hbase-server in master has 1 extant Findbugs warnings.
{color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 34s
{color} | {color:green} master passed with JDK v1.8.0 {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 39s
{color} | {color:green} master passed with JDK v1.7.0_79 {color} |
| {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 0m
56s {color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m 49s
{color} | {color:green} the patch passed with JDK v1.8.0 {color} |
| {color:green}+1{color} | {color:green} javac {color} | {color:green} 0m 49s
{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m 40s
{color} | {color:green} the patch passed with JDK v1.7.0_79 {color} |
| {color:green}+1{color} | {color:green} javac {color} | {color:green} 0m 40s
{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 4m
56s {color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 0m
17s {color} | {color:green} the patch passed {color} |
| {color:red}-1{color} | {color:red} whitespace {color} | {color:red} 0m 0s
{color} | {color:red} The patch has 2 line(s) that end in whitespace. Use git
apply --whitespace=fix. {color} |
| {color:green}+1{color} | {color:green} hadoopcheck {color} | {color:green}
26m 12s {color} | {color:green} Patch does not cause any errors with Hadoop
2.4.0 2.4.1 2.5.0 2.5.1 2.5.2 2.6.1 2.6.2 2.6.3 2.7.1. {color} |
| {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 2m
23s {color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 30s
{color} | {color:green} the patch passed with JDK v1.8.0 {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 43s
{color} | {color:green} the patch passed with JDK v1.7.0_79 {color} |
| {color:green}+1{color} | {color:green} unit {color} | {color:green} 91m 18s
{color} | {color:green} hbase-server in the patch passed with JDK v1.8.0.
{color} |
| {color:green}+1{color} | {color:green} unit {color} | {color:green} 84m 22s
{color} | {color:green} hbase-server in the patch passed with JDK v1.7.0_79.
{color} |
| {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m
14s {color} | {color:green} Patch does not generate ASF License warnings.
{color} |
| {color:black}{color} | {color:black} {color} | {color:black} 227m 9s {color}
| {color:black} {color} |
\\
\\
|| Subsystem || Report/Notes ||
| JIRA Patch URL |
https://issues.apache.org/jira/secure/attachment/12783673/HBASE-15132.v5.patch |
| JIRA Issue | HBASE-15132 |
| Optional Tests | asflicense javac javadoc unit findbugs hadoopcheck
hbaseanti checkstyle compile |
| uname | Linux asf901.gq1.ygridcore.net 3.13.0-36-lowlatency #63-Ubuntu SMP
PREEMPT Wed Sep 3 21:56:12 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux |
| Build tool | maven |
| Personality |
/home/jenkins/jenkins-slave/workspace/PreCommit-HBASE-Build/component/dev-support/hbase-personality.sh
|
| git revision | master / 110274b |
| findbugs | v3.0.0 |
[jira] [Commented] (HBASE-15132) Master region merge RPC should authorize user request
[ https://issues.apache.org/jira/browse/HBASE-15132?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15111911#comment-15111911 ] Anoop Sam John commented on HBASE-15132: +1 > Master region merge RPC should authorize user request > - > > Key: HBASE-15132 > URL: https://issues.apache.org/jira/browse/HBASE-15132 > Project: HBase > Issue Type: Bug >Reporter: Ted Yu >Assignee: Ted Yu > Attachments: HBASE-15132.v1.patch, HBASE-15132.v2.patch, > HBASE-15132.v4.patch, HBASE-15132.v5.patch, HBASE-15132.v6.patch > > > The normal flow for region merge is: > 1. client sends a master RPC for dispatch merge regions > 2. master moves the regions to the same regionserver > 3. master calls mergeRegions RPC on the regionserver. > For user initiated region merge, MasterRpcServices#dispatchMergingRegions() > is called by HBaseAdmin. > There is no coprocessor invocation in step 1. > Step 3 is carried out in the "hbase" user context. > This leaves potential security hole - any user without proper authorization > can merge regions of any table. > Thanks to Enis who spotted this flaw first. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-15132) Master region merge RPC should authorize user request
[
https://issues.apache.org/jira/browse/HBASE-15132?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15111977#comment-15111977
]
Hadoop QA commented on HBASE-15132:
---
| (x) *{color:red}-1 overall{color}* |
\\
\\
|| Vote || Subsystem || Runtime || Comment ||
| {color:green}+1{color} | {color:green} hbaseanti {color} | {color:green} 0m
0s {color} | {color:green} Patch does not have any anti-patterns. {color} |
| {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s
{color} | {color:green} The patch does not contain any @author tags. {color} |
| {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m
0s {color} | {color:green} The patch appears to include 1 new or modified test
files. {color} |
| {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 3m
53s {color} | {color:green} master passed {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green} 1m 15s
{color} | {color:green} master passed with JDK v1.8.0 {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m 49s
{color} | {color:green} master passed with JDK v1.7.0_79 {color} |
| {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 6m
22s {color} | {color:green} master passed {color} |
| {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 0m
25s {color} | {color:green} master passed {color} |
| {color:red}-1{color} | {color:red} findbugs {color} | {color:red} 2m 54s
{color} | {color:red} hbase-server in master has 1 extant Findbugs warnings.
{color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 1m 1s
{color} | {color:green} master passed with JDK v1.8.0 {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 53s
{color} | {color:green} master passed with JDK v1.7.0_79 {color} |
| {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 1m
10s {color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green} 1m 16s
{color} | {color:green} the patch passed with JDK v1.8.0 {color} |
| {color:green}+1{color} | {color:green} javac {color} | {color:green} 1m 16s
{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m 51s
{color} | {color:green} the patch passed with JDK v1.7.0_79 {color} |
| {color:green}+1{color} | {color:green} javac {color} | {color:green} 0m 51s
{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 5m
56s {color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 0m
29s {color} | {color:green} the patch passed {color} |
| {color:red}-1{color} | {color:red} whitespace {color} | {color:red} 0m 0s
{color} | {color:red} The patch has 2 line(s) that end in whitespace. Use git
apply --whitespace=fix. {color} |
| {color:green}+1{color} | {color:green} hadoopcheck {color} | {color:green}
33m 36s {color} | {color:green} Patch does not cause any errors with Hadoop
2.4.0 2.4.1 2.5.0 2.5.1 2.5.2 2.6.1 2.6.2 2.6.3 2.7.1. {color} |
| {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 3m 4s
{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 50s
{color} | {color:green} the patch passed with JDK v1.8.0 {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 54s
{color} | {color:green} the patch passed with JDK v1.7.0_79 {color} |
| {color:green}+1{color} | {color:green} unit {color} | {color:green} 146m 15s
{color} | {color:green} hbase-server in the patch passed with JDK v1.8.0.
{color} |
| {color:green}+1{color} | {color:green} unit {color} | {color:green} 148m 56s
{color} | {color:green} hbase-server in the patch passed with JDK v1.7.0_79.
{color} |
| {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m
51s {color} | {color:green} Patch does not generate ASF License warnings.
{color} |
| {color:black}{color} | {color:black} {color} | {color:black} 362m 18s {color}
| {color:black} {color} |
\\
\\
|| Subsystem || Report/Notes ||
| JIRA Patch URL |
https://issues.apache.org/jira/secure/attachment/12783673/HBASE-15132.v5.patch |
| JIRA Issue | HBASE-15132 |
| Optional Tests | asflicense javac javadoc unit findbugs hadoopcheck
hbaseanti checkstyle compile |
| uname | Linux asf909.gq1.ygridcore.net 3.13.0-36-lowlatency #63-Ubuntu SMP
PREEMPT Wed Sep 3 21:56:12 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux |
| Build tool | maven |
| Personality |
/home/jenkins/jenkins-slave/workspace/PreCommit-HBASE-Build@2/component/dev-support/hbase-personality.sh
|
| git revision | master / 110274b |
| findbugs |
[jira] [Commented] (HBASE-15132) Master region merge RPC should authorize user request
[
https://issues.apache.org/jira/browse/HBASE-15132?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15109534#comment-15109534
]
Hadoop QA commented on HBASE-15132:
---
| (x) *{color:red}-1 overall{color}* |
\\
\\
|| Vote || Subsystem || Runtime || Comment ||
| {color:green}+1{color} | {color:green} hbaseanti {color} | {color:green} 0m
0s {color} | {color:green} Patch does not have any anti-patterns. {color} |
| {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s
{color} | {color:green} The patch does not contain any @author tags. {color} |
| {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m
0s {color} | {color:green} The patch appears to include 1 new or modified test
files. {color} |
| {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 2m
40s {color} | {color:green} master passed {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m 58s
{color} | {color:green} master passed with JDK v1.8.0 {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m 35s
{color} | {color:green} master passed with JDK v1.7.0_79 {color} |
| {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 4m
49s {color} | {color:green} master passed {color} |
| {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 0m
18s {color} | {color:green} master passed {color} |
| {color:red}-1{color} | {color:red} findbugs {color} | {color:red} 2m 27s
{color} | {color:red} hbase-server in master has 1 extant Findbugs warnings.
{color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 45s
{color} | {color:green} master passed with JDK v1.8.0 {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 43s
{color} | {color:green} master passed with JDK v1.7.0_79 {color} |
| {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 0m
58s {color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green} 1m 3s
{color} | {color:green} the patch passed with JDK v1.8.0 {color} |
| {color:green}+1{color} | {color:green} javac {color} | {color:green} 1m 3s
{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m 40s
{color} | {color:green} the patch passed with JDK v1.7.0_79 {color} |
| {color:green}+1{color} | {color:green} javac {color} | {color:green} 0m 40s
{color} | {color:green} the patch passed {color} |
| {color:red}-1{color} | {color:red} checkstyle {color} | {color:red} 5m 3s
{color} | {color:red} Patch generated 4 new checkstyle issues in hbase-server
(total was 121, now 125). {color} |
| {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 0m
17s {color} | {color:green} the patch passed {color} |
| {color:red}-1{color} | {color:red} whitespace {color} | {color:red} 0m 0s
{color} | {color:red} The patch has 1 line(s) that end in whitespace. Use git
apply --whitespace=fix. {color} |
| {color:green}+1{color} | {color:green} hadoopcheck {color} | {color:green}
25m 31s {color} | {color:green} Patch does not cause any errors with Hadoop
2.4.0 2.4.1 2.5.0 2.5.1 2.5.2 2.6.1 2.6.2 2.6.3 2.7.1. {color} |
| {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 2m
16s {color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 50s
{color} | {color:green} the patch passed with JDK v1.8.0 {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 39s
{color} | {color:green} the patch passed with JDK v1.7.0_79 {color} |
| {color:red}-1{color} | {color:red} unit {color} | {color:red} 132m 25s
{color} | {color:red} hbase-server in the patch failed with JDK v1.8.0. {color}
|
| {color:red}-1{color} | {color:red} unit {color} | {color:red} 87m 22s {color}
| {color:red} hbase-server in the patch failed with JDK v1.7.0_79. {color} |
| {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m
26s {color} | {color:green} Patch does not generate ASF License warnings.
{color} |
| {color:black}{color} | {color:black} {color} | {color:black} 271m 16s {color}
| {color:black} {color} |
\\
\\
|| Reason || Tests ||
| JDK v1.8.0 Failed junit tests |
hadoop.hbase.master.balancer.TestStochasticLoadBalancer |
| JDK v1.8.0 Timed out junit tests |
org.apache.hadoop.hbase.regionserver.TestSplitTransactionOnCluster |
| | org.apache.hadoop.hbase.snapshot.TestSecureExportSnapshot |
| | org.apache.hadoop.hbase.snapshot.TestMobExportSnapshot |
| | org.apache.hadoop.hbase.snapshot.TestExportSnapshot |
| JDK v1.7.0_79 Timed out junit tests | org.apache.hadoop.hbase.TestZooKeeper |
| | org.apache.hadoop.hbase.snapshot.TestMobSecureExportSnapshot |
| |
[jira] [Commented] (HBASE-15132) Master region merge RPC should authorize user request
[ https://issues.apache.org/jira/browse/HBASE-15132?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15109583#comment-15109583 ] Ted Yu commented on HBASE-15132: I ran failed tests locally which passed. And these tests are not related to region merge. > Master region merge RPC should authorize user request > - > > Key: HBASE-15132 > URL: https://issues.apache.org/jira/browse/HBASE-15132 > Project: HBase > Issue Type: Bug >Reporter: Ted Yu >Assignee: Ted Yu > Attachments: HBASE-15132.v1.patch > > > The normal flow for region merge is: > 1. client sends a master RPC for dispatch merge regions > 2. master moves the regions to the same regionserver > 3. master calls mergeRegions RPC on the regionserver. > For user initiated region merge, MasterRpcServices#dispatchMergingRegions() > is called by HBaseAdmin. > There is no coprocessor invocation in step 1. > Step 3 is carried out in the "hbase" user context. > This leaves potential security hole - any user without proper authorization > can merge regions of any table. > Thanks to Enis who spotted this flaw first. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HBASE-15132) Master region merge RPC should authorize user request
[
https://issues.apache.org/jira/browse/HBASE-15132?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15108393#comment-15108393
]
Ted Yu commented on HBASE-15132:
Toward the end of MasterRpcServices#dispatchMergingRegions():
{code}
try {
master.dispatchMergingRegions(regionInfoA, regionInfoB, forcible);
} catch (IOException ioe) {
{code}
Request user is not preserved for the above call.
Meaning, step 3 loses track of user identity.
> Master region merge RPC should authorize user request
> -
>
> Key: HBASE-15132
> URL: https://issues.apache.org/jira/browse/HBASE-15132
> Project: HBase
> Issue Type: Bug
>Reporter: Ted Yu
>Assignee: Ted Yu
> Attachments: 15132-v1.patch
>
>
> The normal flow for region merge is:
> 1. client sends a master RPC for dispatch merge regions
> 2. master moves the regions to the same regionserver
> 3. master calls mergeRegions RPC on the regionserver.
> For user initiated region merge, MasterRpcServices#dispatchMergingRegions()
> is called by HBaseAdmin.
> There is no coprocessor invocation in step 1.
> Step 3 is carried out in the "hbase" user context.
> This leaves potential security hole - any user without proper authorization
> can merge regions of any table.
> Thanks to Enis who spotted this flaw first.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (HBASE-15132) Master region merge RPC should authorize user request
[ https://issues.apache.org/jira/browse/HBASE-15132?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15107873#comment-15107873 ] Ted Yu commented on HBASE-15132: The preMerge() hook is currently executed on region server. One solution is to enhance MasterObserver with preMerge() hook. MasterRpcServices#dispatchMergingRegions() can execute preMerge() hook in the context of request user. Comment is welcome. > Master region merge RPC should authorize user request > - > > Key: HBASE-15132 > URL: https://issues.apache.org/jira/browse/HBASE-15132 > Project: HBase > Issue Type: Bug >Reporter: Ted Yu >Assignee: Ted Yu > > The normal flow for region merge is: > 1. client sends a master RPC for dispatch merge regions > 2. master moves the regions to the same regionserver > 3. master calls mergeRegions RPC on the regionserver. > For user initiated region merge, MasterRpcServices#dispatchMergingRegions() > is called by HBaseAdmin. > There is no coprocessor invocation in step 1. > Step 3 is carried out in the "hbase" user context. > This leaves potential security hole - any user without proper authorization > can merge regions of any table. > Thanks to Enis who spotted this flaw first. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
