[jira] [Updated] (HBASE-8213) global authorization may lose efficacy
[
https://issues.apache.org/jira/browse/HBASE-8213?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ted Yu updated HBASE-8213:
--
Affects Version/s: (was: 0.94.7)
0.94.6
Fix Version/s: 0.94.7
0.98.0
0.95.0
Hadoop Flags: Reviewed
global authorization may lose efficacy
---
Key: HBASE-8213
URL: https://issues.apache.org/jira/browse/HBASE-8213
Project: HBase
Issue Type: Bug
Components: security
Affects Versions: 0.95.0, 0.96.0, 0.94.6
Reporter: Jieshan Bean
Assignee: Jieshan Bean
Priority: Critical
Fix For: 0.95.0, 0.98.0, 0.94.7
Attachments: HBASE-8213-94.patch, HBASE-8213-trunk.patch
It depends on the order of which region be opened first.
Suppose we have one 1 regionserver and only 1 user region REGION-A on this
server, _acl_ region was on another regionserver. _acl_ was opened a few
seconds before REGION-A.
The global authorization data read from Zookeeper was overwritten by the data
read from configuration.
{code}
private TableAuthManager(ZooKeeperWatcher watcher, Configuration conf)
throws IOException {
this.conf = conf;
this.zkperms = new ZKPermissionWatcher(watcher, this, conf);
try {
// Read global authorization data from zookeeper.
this.zkperms.start();
} catch (KeeperException ke) {
LOG.error(ZooKeeper initialization failed, ke);
}
// It will overwrite globalCache.
// initialize global permissions based on configuration
globalCache = initGlobal(conf);
}
{code}
This issue can be easily reproduced by below steps:
1. Start a cluster with 3 regionservers.
2. Create a new table T1.
3. grant a new user USER-A with global authorization.
4. Kill 1 regionserver RS3 and switch balance off.
5. Start regionserver RS3.
6. Assign region T1 to RS3.
7. Put data with user USER-A.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-8213) global authorization may lose efficacy
[
https://issues.apache.org/jira/browse/HBASE-8213?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andrew Purtell updated HBASE-8213:
--
Resolution: Fixed
Status: Resolved (was: Patch Available)
global authorization may lose efficacy
---
Key: HBASE-8213
URL: https://issues.apache.org/jira/browse/HBASE-8213
Project: HBase
Issue Type: Bug
Components: security
Affects Versions: 0.95.0, 0.96.0, 0.94.6
Reporter: Jieshan Bean
Assignee: Jieshan Bean
Priority: Critical
Fix For: 0.95.0, 0.98.0, 0.94.7
Attachments: HBASE-8213-94.patch, HBASE-8213-trunk.patch
It depends on the order of which region be opened first.
Suppose we have one 1 regionserver and only 1 user region REGION-A on this
server, _acl_ region was on another regionserver. _acl_ was opened a few
seconds before REGION-A.
The global authorization data read from Zookeeper was overwritten by the data
read from configuration.
{code}
private TableAuthManager(ZooKeeperWatcher watcher, Configuration conf)
throws IOException {
this.conf = conf;
this.zkperms = new ZKPermissionWatcher(watcher, this, conf);
try {
// Read global authorization data from zookeeper.
this.zkperms.start();
} catch (KeeperException ke) {
LOG.error(ZooKeeper initialization failed, ke);
}
// It will overwrite globalCache.
// initialize global permissions based on configuration
globalCache = initGlobal(conf);
}
{code}
This issue can be easily reproduced by below steps:
1. Start a cluster with 3 regionservers.
2. Create a new table T1.
3. grant a new user USER-A with global authorization.
4. Kill 1 regionserver RS3 and switch balance off.
5. Start regionserver RS3.
6. Assign region T1 to RS3.
7. Put data with user USER-A.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-8213) global authorization may lose efficacy
[
https://issues.apache.org/jira/browse/HBASE-8213?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andrew Purtell updated HBASE-8213:
--
Attachment: HBASE-8213-trunk.patch
+1 on patch 0.94, new test fails if change in TableAuthManager is not applied.
Attached a patch for trunk. TestAccessController passes locally for both 0.94
and trunk builds with patch applied.
global authorization may lose efficacy
---
Key: HBASE-8213
URL: https://issues.apache.org/jira/browse/HBASE-8213
Project: HBase
Issue Type: Bug
Components: security
Affects Versions: 0.95.0, 0.96.0, 0.94.7
Reporter: Jieshan Bean
Assignee: Jieshan Bean
Priority: Critical
Attachments: HBASE-8213-94.patch, HBASE-8213-trunk.patch
It depends on the order of which region be opened first.
Suppose we have one 1 regionserver and only 1 user region REGION-A on this
server, _acl_ region was on another regionserver. _acl_ was opened a few
seconds before REGION-A.
The global authorization data read from Zookeeper was overwritten by the data
read from configuration.
{code}
private TableAuthManager(ZooKeeperWatcher watcher, Configuration conf)
throws IOException {
this.conf = conf;
this.zkperms = new ZKPermissionWatcher(watcher, this, conf);
try {
// Read global authorization data from zookeeper.
this.zkperms.start();
} catch (KeeperException ke) {
LOG.error(ZooKeeper initialization failed, ke);
}
// It will overwrite globalCache.
// initialize global permissions based on configuration
globalCache = initGlobal(conf);
}
{code}
This issue can be easily reproduced by below steps:
1. Start a cluster with 3 regionservers.
2. Create a new table T1.
3. grant a new user USER-A with global authorization.
4. Kill 1 regionserver RS3 and switch balance off.
5. Start regionserver RS3.
6. Assign region T1 to RS3.
7. Put data with user USER-A.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-8213) global authorization may lose efficacy
[
https://issues.apache.org/jira/browse/HBASE-8213?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andrew Purtell updated HBASE-8213:
--
Status: Patch Available (was: Open)
global authorization may lose efficacy
---
Key: HBASE-8213
URL: https://issues.apache.org/jira/browse/HBASE-8213
Project: HBase
Issue Type: Bug
Components: security
Affects Versions: 0.95.0, 0.96.0, 0.94.7
Reporter: Jieshan Bean
Assignee: Jieshan Bean
Priority: Critical
Attachments: HBASE-8213-94.patch, HBASE-8213-trunk.patch
It depends on the order of which region be opened first.
Suppose we have one 1 regionserver and only 1 user region REGION-A on this
server, _acl_ region was on another regionserver. _acl_ was opened a few
seconds before REGION-A.
The global authorization data read from Zookeeper was overwritten by the data
read from configuration.
{code}
private TableAuthManager(ZooKeeperWatcher watcher, Configuration conf)
throws IOException {
this.conf = conf;
this.zkperms = new ZKPermissionWatcher(watcher, this, conf);
try {
// Read global authorization data from zookeeper.
this.zkperms.start();
} catch (KeeperException ke) {
LOG.error(ZooKeeper initialization failed, ke);
}
// It will overwrite globalCache.
// initialize global permissions based on configuration
globalCache = initGlobal(conf);
}
{code}
This issue can be easily reproduced by below steps:
1. Start a cluster with 3 regionservers.
2. Create a new table T1.
3. grant a new user USER-A with global authorization.
4. Kill 1 regionserver RS3 and switch balance off.
5. Start regionserver RS3.
6. Assign region T1 to RS3.
7. Put data with user USER-A.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-8213) global authorization may lose efficacy
[
https://issues.apache.org/jira/browse/HBASE-8213?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jieshan Bean updated HBASE-8213:
Attachment: HBASE-8213-94.patch
Patch for 94.
global authorization may lose efficacy
---
Key: HBASE-8213
URL: https://issues.apache.org/jira/browse/HBASE-8213
Project: HBase
Issue Type: Bug
Components: security
Affects Versions: 0.95.0, 0.96.0, 0.94.7
Reporter: Jieshan Bean
Assignee: Jieshan Bean
Priority: Critical
Attachments: HBASE-8213-94.patch
It depends on the order of which region be opened first.
Suppose we have one 1 regionserver and only 1 user region REGION-A on this
server, _acl_ region was on another regionserver. _acl_ was opened a few
seconds before REGION-A.
The global authorization data read from Zookeeper was overwritten by the data
read from configuration.
{code}
private TableAuthManager(ZooKeeperWatcher watcher, Configuration conf)
throws IOException {
this.conf = conf;
this.zkperms = new ZKPermissionWatcher(watcher, this, conf);
try {
// Read global authorization data from zookeeper.
this.zkperms.start();
} catch (KeeperException ke) {
LOG.error(ZooKeeper initialization failed, ke);
}
// It will overwrite globalCache.
// initialize global permissions based on configuration
globalCache = initGlobal(conf);
}
{code}
This issue can be easily reproduced by below steps:
1. Start a cluster with 3 regionservers.
2. Create a new table T1.
3. grant a new user USER-A with global authorization.
4. Kill 1 regionserver RS3 and switch balance off.
5. Start regionserver RS3.
6. Assign region T1 to RS3.
7. Put data with user USER-A.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-8213) global authorization may lose efficacy
[
https://issues.apache.org/jira/browse/HBASE-8213?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andrew Purtell updated HBASE-8213:
--
Component/s: security
Affects Version/s: 0.94.7
0.96.0
0.95.0
global authorization may lose efficacy
---
Key: HBASE-8213
URL: https://issues.apache.org/jira/browse/HBASE-8213
Project: HBase
Issue Type: Bug
Components: security
Affects Versions: 0.95.0, 0.96.0, 0.94.7
Reporter: Jieshan Bean
Assignee: Jieshan Bean
Priority: Critical
It depends on the order of which region be opened first.
Suppose we have one 1 regionserver and only 1 user region REGION-A on this
server, _acl_ region was on another regionserver. _acl_ was opened a few
seconds before REGION-A.
The global authorization data read from Zookeeper was overwritten by the data
read from configuration.
{code}
private TableAuthManager(ZooKeeperWatcher watcher, Configuration conf)
throws IOException {
this.conf = conf;
this.zkperms = new ZKPermissionWatcher(watcher, this, conf);
try {
// Read global authorization data from zookeeper.
this.zkperms.start();
} catch (KeeperException ke) {
LOG.error(ZooKeeper initialization failed, ke);
}
// It will overwrite globalCache.
// initialize global permissions based on configuration
globalCache = initGlobal(conf);
}
{code}
This issue can be easily reproduced by below steps:
1. Start a cluster with 3 regionservers.
2. Create a new table T1.
3. grant a new user USER-A with global authorization.
4. Kill 1 regionserver RS3 and switch balance off.
5. Start regionserver RS3.
6. Assign region T1 to RS3.
7. Put data with user USER-A.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
