[jira] [Commented] (HBASE-25441) add security check for some APIs in RSRpcServices
[
https://issues.apache.org/jira/browse/HBASE-25441?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17260777#comment-17260777
]
Hudson commented on HBASE-25441:
Results for branch branch-2.2
[build #146 on
builds.a.o|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2.2/146/]:
(x) *{color:red}-1 overall{color}*
details (if available):
(/) {color:green}+1 general checks{color}
-- For more information [see general
report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2.2/146//General_Nightly_Build_Report/]
(x) {color:red}-1 jdk8 hadoop2 checks{color}
-- For more information [see jdk8 (hadoop2)
report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2.2/146//JDK8_Nightly_Build_Report_(Hadoop2)/]
(x) {color:red}-1 jdk8 hadoop3 checks{color}
-- For more information [see jdk8 (hadoop3)
report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2.2/146//JDK8_Nightly_Build_Report_(Hadoop3)/]
(/) {color:green}+1 source release artifact{color}
-- See build output for details.
(x) {color:red}-1 client integration test{color}
--Failed when running client tests on top of Hadoop 2. [see log for
details|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2.2/146//artifact/output-integration/hadoop-2.log].
(note that this means we didn't run on Hadoop 3)
> add security check for some APIs in RSRpcServices
> -
>
> Key: HBASE-25441
> URL: https://issues.apache.org/jira/browse/HBASE-25441
> Project: HBase
> Issue Type: Bug
>Reporter: lujie
>Assignee: lujie
>Priority: Critical
> Fix For: 3.0.0-alpha-1, 1.7.0, 2.2.7, 2.3.4, 2.5.0, 2.4.1
>
>
>
> ||API||Severity||symptom||
> |clearRegionBlockCache|Severe|The API will call
> LruBlockCache.evictBlocksByHfileName,
> who is declared as an expensive operation(see its comments), thus non-amin
> may result Dos|
> |clearSlowLogsResponses|Normal|clears queue records from ringbuffer|
> |updateConfiguration|Normal|non-admin user can make RS reload configutation
> from disk by this API. |
> |updateRegionFavoredNodesMapping|Normal|Non-admin user can change the
> region's best storage location by this api|
> |stopServer|low|stopServer on RS is slient, which make client think he/she
> success shutdown RS.
> Add preRpcCheck ont only make client receive the failed message,
> but also prevent the non-admin user stop the RS,
> even the hbase.coprocessor.regionserver.classes are not configured.|
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (HBASE-25441) add security check for some APIs in RSRpcServices
[ https://issues.apache.org/jira/browse/HBASE-25441?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17258144#comment-17258144 ] Viraj Jasani commented on HBASE-25441: -- [~xiaoheipangzi] can you please take care of updating release notes for other 2 Jiras? Thanks > add security check for some APIs in RSRpcServices > - > > Key: HBASE-25441 > URL: https://issues.apache.org/jira/browse/HBASE-25441 > Project: HBase > Issue Type: Bug >Reporter: lujie >Assignee: lujie >Priority: Critical > Fix For: 3.0.0-alpha-1, 1.7.0, 2.3.4, 2.5.0, 2.4.1 > > > > ||API||Severity||symptom|| > |clearRegionBlockCache|Severe|The API will call > LruBlockCache.evictBlocksByHfileName, > who is declared as an expensive operation(see its comments), thus non-amin > may result Dos| > |clearSlowLogsResponses|Normal|clears queue records from ringbuffer| > |updateConfiguration|Normal|non-admin user can make RS reload configutation > from disk by this API. | > |updateRegionFavoredNodesMapping|Normal|Non-admin user can change the > region's best storage location by this api| > |stopServer|low|stopServer on RS is slient, which make client think he/she > success shutdown RS. > Add preRpcCheck ont only make client receive the failed message, > but also prevent the non-admin user stop the RS, > even the hbase.coprocessor.regionserver.classes are not configured.| > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (HBASE-25441) add security check for some APIs in RSRpcServices
[
https://issues.apache.org/jira/browse/HBASE-25441?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17258138#comment-17258138
]
Viraj Jasani commented on HBASE-25441:
--
{quote}All need Admin access level right?
{quote}
That's correct [~anoop.hbase].
> add security check for some APIs in RSRpcServices
> -
>
> Key: HBASE-25441
> URL: https://issues.apache.org/jira/browse/HBASE-25441
> Project: HBase
> Issue Type: Bug
>Reporter: lujie
>Priority: Critical
> Fix For: 3.0.0-alpha-1, 1.7.0, 2.3.4, 2.5.0, 2.4.1
>
>
>
> ||API||Severity||symptom||
> |clearRegionBlockCache|Severe|The API will call
> LruBlockCache.evictBlocksByHfileName,
> who is declared as an expensive operation(see its comments), thus non-amin
> may result Dos|
> |clearSlowLogsResponses|Normal|clears queue records from ringbuffer|
> |updateConfiguration|Normal|non-admin user can make RS reload configutation
> from disk by this API. |
> |updateRegionFavoredNodesMapping|Normal|Non-admin user can change the
> region's best storage location by this api|
> |stopServer|low|stopServer on RS is slient, which make client think he/she
> success shutdown RS.
> Add preRpcCheck ont only make client receive the failed message,
> but also prevent the non-admin user stop the RS,
> even the hbase.coprocessor.regionserver.classes are not configured.|
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (HBASE-25441) add security check for some APIs in RSRpcServices
[ https://issues.apache.org/jira/browse/HBASE-25441?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17258054#comment-17258054 ] Anoop Sam John commented on HBASE-25441: Can add a Release notes? API names and expected rights to do the op. All need Admin access level right? > add security check for some APIs in RSRpcServices > - > > Key: HBASE-25441 > URL: https://issues.apache.org/jira/browse/HBASE-25441 > Project: HBase > Issue Type: Bug >Reporter: lujie >Priority: Critical > Fix For: 3.0.0-alpha-1, 1.7.0, 2.3.4, 2.5.0, 2.4.1 > > > > ||API||Severity||symptom|| > |clearRegionBlockCache|Severe|The API will call > LruBlockCache.evictBlocksByHfileName, > who is declared as an expensive operation(see its comments), thus non-amin > may result Dos| > |clearSlowLogsResponses|Normal|clears queue records from ringbuffer| > |updateConfiguration|Normal|non-admin user can make RS reload configutation > from disk by this API. | > |updateRegionFavoredNodesMapping|Normal|Non-admin user can change the > region's best storage location by this api| > |stopServer|low|stopServer on RS is slient, which make client think he/she > success shutdown RS. > Add preRpcCheck ont only make client receive the failed message, > but also prevent the non-admin user stop the RS, > even the hbase.coprocessor.regionserver.classes are not configured.| > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (HBASE-25441) add security check for some APIs in RSRpcServices
[
https://issues.apache.org/jira/browse/HBASE-25441?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17257131#comment-17257131
]
Hudson commented on HBASE-25441:
Results for branch branch-2.4
[build #19 on
builds.a.o|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2.4/19/]:
(/) *{color:green}+1 overall{color}*
details (if available):
(/) {color:green}+1 general checks{color}
-- For more information [see general
report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2.4/19/General_20Nightly_20Build_20Report/]
(/) {color:green}+1 jdk8 hadoop2 checks{color}
-- For more information [see jdk8 (hadoop2)
report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2.4/19/JDK8_20Nightly_20Build_20Report_20_28Hadoop2_29/]
(/) {color:green}+1 jdk8 hadoop3 checks{color}
-- For more information [see jdk8 (hadoop3)
report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2.4/19/JDK8_20Nightly_20Build_20Report_20_28Hadoop3_29/]
(/) {color:green}+1 jdk11 hadoop3 checks{color}
-- For more information [see jdk11
report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2.4/19/JDK11_20Nightly_20Build_20Report_20_28Hadoop3_29/]
(/) {color:green}+1 source release artifact{color}
-- See build output for details.
(/) {color:green}+1 client integration test{color}
> add security check for some APIs in RSRpcServices
> -
>
> Key: HBASE-25441
> URL: https://issues.apache.org/jira/browse/HBASE-25441
> Project: HBase
> Issue Type: Bug
>Reporter: lujie
>Priority: Critical
> Fix For: 3.0.0-alpha-1, 1.7.0, 2.3.4, 2.5.0, 2.4.1
>
>
>
> ||API||Severity||symptom||
> |clearRegionBlockCache|Severe|The API will call
> LruBlockCache.evictBlocksByHfileName,
> who is declared as an expensive operation(see its comments), thus non-amin
> may result Dos|
> |clearSlowLogsResponses|Normal|clears queue records from ringbuffer|
> |updateConfiguration|Normal|non-admin user can make RS reload configutation
> from disk by this API. |
> |updateRegionFavoredNodesMapping|Normal|Non-admin user can change the
> region's best storage location by this api|
> |stopServer|low|stopServer on RS is slient, which make client think he/she
> success shutdown RS.
> Add preRpcCheck ont only make client receive the failed message,
> but also prevent the non-admin user stop the RS,
> even the hbase.coprocessor.regionserver.classes are not configured.|
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (HBASE-25441) add security check for some APIs in RSRpcServices
[
https://issues.apache.org/jira/browse/HBASE-25441?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17257073#comment-17257073
]
Hudson commented on HBASE-25441:
Results for branch branch-2
[build #142 on
builds.a.o|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2/142/]:
(/) *{color:green}+1 overall{color}*
details (if available):
(/) {color:green}+1 general checks{color}
-- For more information [see general
report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2/142/General_20Nightly_20Build_20Report/]
(/) {color:green}+1 jdk8 hadoop2 checks{color}
-- For more information [see jdk8 (hadoop2)
report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2/142/JDK8_20Nightly_20Build_20Report_20_28Hadoop2_29/]
(/) {color:green}+1 jdk8 hadoop3 checks{color}
-- For more information [see jdk8 (hadoop3)
report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2/142/JDK8_20Nightly_20Build_20Report_20_28Hadoop3_29/]
(/) {color:green}+1 jdk11 hadoop3 checks{color}
-- For more information [see jdk11
report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2/142/JDK11_20Nightly_20Build_20Report_20_28Hadoop3_29/]
(/) {color:green}+1 source release artifact{color}
-- See build output for details.
(/) {color:green}+1 client integration test{color}
> add security check for some APIs in RSRpcServices
> -
>
> Key: HBASE-25441
> URL: https://issues.apache.org/jira/browse/HBASE-25441
> Project: HBase
> Issue Type: Bug
>Reporter: lujie
>Priority: Critical
> Fix For: 3.0.0-alpha-1, 1.7.0, 2.3.4, 2.5.0, 2.4.1
>
>
>
> ||API||Severity||symptom||
> |clearRegionBlockCache|Severe|The API will call
> LruBlockCache.evictBlocksByHfileName,
> who is declared as an expensive operation(see its comments), thus non-amin
> may result Dos|
> |clearSlowLogsResponses|Normal|clears queue records from ringbuffer|
> |updateConfiguration|Normal|non-admin user can make RS reload configutation
> from disk by this API. |
> |updateRegionFavoredNodesMapping|Normal|Non-admin user can change the
> region's best storage location by this api|
> |stopServer|low|stopServer on RS is slient, which make client think he/she
> success shutdown RS.
> Add preRpcCheck ont only make client receive the failed message,
> but also prevent the non-admin user stop the RS,
> even the hbase.coprocessor.regionserver.classes are not configured.|
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (HBASE-25441) add security check for some APIs in RSRpcServices
[
https://issues.apache.org/jira/browse/HBASE-25441?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17257063#comment-17257063
]
Hudson commented on HBASE-25441:
Results for branch branch-2.3
[build #135 on
builds.a.o|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2.3/135/]:
(/) *{color:green}+1 overall{color}*
details (if available):
(/) {color:green}+1 general checks{color}
-- For more information [see general
report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2.3/135/General_20Nightly_20Build_20Report/]
(/) {color:green}+1 jdk8 hadoop2 checks{color}
-- For more information [see jdk8 (hadoop2)
report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2.3/135/JDK8_20Nightly_20Build_20Report_20_28Hadoop2_29/]
(/) {color:green}+1 jdk8 hadoop3 checks{color}
-- For more information [see jdk8 (hadoop3)
report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2.3/135/JDK8_20Nightly_20Build_20Report_20_28Hadoop3_29/]
(/) {color:green}+1 jdk11 hadoop3 checks{color}
-- For more information [see jdk11
report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2.3/135/JDK11_20Nightly_20Build_20Report_20_28Hadoop3_29/]
(/) {color:green}+1 source release artifact{color}
-- See build output for details.
(/) {color:green}+1 client integration test{color}
> add security check for some APIs in RSRpcServices
> -
>
> Key: HBASE-25441
> URL: https://issues.apache.org/jira/browse/HBASE-25441
> Project: HBase
> Issue Type: Bug
>Reporter: lujie
>Priority: Critical
> Fix For: 3.0.0-alpha-1, 1.7.0, 2.3.4, 2.5.0, 2.4.1
>
>
>
> ||API||Severity||symptom||
> |clearRegionBlockCache|Severe|The API will call
> LruBlockCache.evictBlocksByHfileName,
> who is declared as an expensive operation(see its comments), thus non-amin
> may result Dos|
> |clearSlowLogsResponses|Normal|clears queue records from ringbuffer|
> |updateConfiguration|Normal|non-admin user can make RS reload configutation
> from disk by this API. |
> |updateRegionFavoredNodesMapping|Normal|Non-admin user can change the
> region's best storage location by this api|
> |stopServer|low|stopServer on RS is slient, which make client think he/she
> success shutdown RS.
> Add preRpcCheck ont only make client receive the failed message,
> but also prevent the non-admin user stop the RS,
> even the hbase.coprocessor.regionserver.classes are not configured.|
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (HBASE-25441) add security check for some APIs in RSRpcServices
[
https://issues.apache.org/jira/browse/HBASE-25441?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17257024#comment-17257024
]
Hudson commented on HBASE-25441:
Results for branch branch-1
[build #71 on
builds.a.o|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-1/71/]:
(x) *{color:red}-1 overall{color}*
details (if available):
(/) {color:green}+1 general checks{color}
-- For more information [see general
report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-1/71//General_Nightly_Build_Report/]
(x) {color:red}-1 jdk7 checks{color}
-- For more information [see jdk7
report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-1/71//JDK7_Nightly_Build_Report/]
(x) {color:red}-1 jdk8 hadoop2 checks{color}
-- For more information [see jdk8 (hadoop2)
report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-1/71//JDK8_Nightly_Build_Report_(Hadoop2)/]
(x) {color:red}-1 source release artifact{color}
-- See build output for details.
> add security check for some APIs in RSRpcServices
> -
>
> Key: HBASE-25441
> URL: https://issues.apache.org/jira/browse/HBASE-25441
> Project: HBase
> Issue Type: Bug
>Reporter: lujie
>Priority: Critical
> Fix For: 3.0.0-alpha-1, 1.7.0, 2.3.4, 2.5.0, 2.4.1
>
>
>
> ||API||Severity||symptom||
> |clearRegionBlockCache|Severe|The API will call
> LruBlockCache.evictBlocksByHfileName,
> who is declared as an expensive operation(see its comments), thus non-amin
> may result Dos|
> |clearSlowLogsResponses|Normal|clears queue records from ringbuffer|
> |updateConfiguration|Normal|non-admin user can make RS reload configutation
> from disk by this API. |
> |updateRegionFavoredNodesMapping|Normal|Non-admin user can change the
> region's best storage location by this api|
> |stopServer|low|stopServer on RS is slient, which make client think he/she
> success shutdown RS.
> Add preRpcCheck ont only make client receive the failed message,
> but also prevent the non-admin user stop the RS,
> even the hbase.coprocessor.regionserver.classes are not configured.|
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (HBASE-25441) add security check for some APIs in RSRpcServices
[
https://issues.apache.org/jira/browse/HBASE-25441?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17256989#comment-17256989
]
Hudson commented on HBASE-25441:
Results for branch master
[build #169 on
builds.a.o|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/master/169/]:
(/) *{color:green}+1 overall{color}*
details (if available):
(/) {color:green}+1 general checks{color}
-- For more information [see general
report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/master/169/General_20Nightly_20Build_20Report/]
(/) {color:green}+1 jdk8 hadoop3 checks{color}
-- For more information [see jdk8 (hadoop3)
report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/master/169/JDK8_20Nightly_20Build_20Report_20_28Hadoop3_29/]
(/) {color:green}+1 jdk11 hadoop3 checks{color}
-- For more information [see jdk11
report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/master/169/JDK11_20Nightly_20Build_20Report_20_28Hadoop3_29/]
(/) {color:green}+1 source release artifact{color}
-- See build output for details.
(/) {color:green}+1 client integration test{color}
> add security check for some APIs in RSRpcServices
> -
>
> Key: HBASE-25441
> URL: https://issues.apache.org/jira/browse/HBASE-25441
> Project: HBase
> Issue Type: Bug
>Reporter: lujie
>Priority: Critical
> Fix For: 3.0.0-alpha-1, 1.7.0, 2.3.4, 2.5.0, 2.4.1
>
>
>
> ||API||Severity||symptom||
> |clearRegionBlockCache|Severe|The API will call
> LruBlockCache.evictBlocksByHfileName,
> who is declared as an expensive operation(see its comments), thus non-amin
> may result Dos|
> |clearSlowLogsResponses|Normal|clears queue records from ringbuffer|
> |updateConfiguration|Normal|non-admin user can make RS reload configutation
> from disk by this API. |
> |updateRegionFavoredNodesMapping|Normal|Non-admin user can change the
> region's best storage location by this api|
> |stopServer|low|stopServer on RS is slient, which make client think he/she
> success shutdown RS.
> Add preRpcCheck ont only make client receive the failed message,
> but also prevent the non-admin user stop the RS,
> even the hbase.coprocessor.regionserver.classes are not configured.|
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
