[jira] [Updated] (HBASE-8213) global authorization may lose efficacy
[ https://issues.apache.org/jira/browse/HBASE-8213?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ted Yu updated HBASE-8213: -- Affects Version/s: (was: 0.94.7) 0.94.6 Fix Version/s: 0.94.7 0.98.0 0.95.0 Hadoop Flags: Reviewed global authorization may lose efficacy --- Key: HBASE-8213 URL: https://issues.apache.org/jira/browse/HBASE-8213 Project: HBase Issue Type: Bug Components: security Affects Versions: 0.95.0, 0.96.0, 0.94.6 Reporter: Jieshan Bean Assignee: Jieshan Bean Priority: Critical Fix For: 0.95.0, 0.98.0, 0.94.7 Attachments: HBASE-8213-94.patch, HBASE-8213-trunk.patch It depends on the order of which region be opened first. Suppose we have one 1 regionserver and only 1 user region REGION-A on this server, _acl_ region was on another regionserver. _acl_ was opened a few seconds before REGION-A. The global authorization data read from Zookeeper was overwritten by the data read from configuration. {code} private TableAuthManager(ZooKeeperWatcher watcher, Configuration conf) throws IOException { this.conf = conf; this.zkperms = new ZKPermissionWatcher(watcher, this, conf); try { // Read global authorization data from zookeeper. this.zkperms.start(); } catch (KeeperException ke) { LOG.error(ZooKeeper initialization failed, ke); } // It will overwrite globalCache. // initialize global permissions based on configuration globalCache = initGlobal(conf); } {code} This issue can be easily reproduced by below steps: 1. Start a cluster with 3 regionservers. 2. Create a new table T1. 3. grant a new user USER-A with global authorization. 4. Kill 1 regionserver RS3 and switch balance off. 5. Start regionserver RS3. 6. Assign region T1 to RS3. 7. Put data with user USER-A. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-8213) global authorization may lose efficacy
[ https://issues.apache.org/jira/browse/HBASE-8213?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Andrew Purtell updated HBASE-8213: -- Resolution: Fixed Status: Resolved (was: Patch Available) global authorization may lose efficacy --- Key: HBASE-8213 URL: https://issues.apache.org/jira/browse/HBASE-8213 Project: HBase Issue Type: Bug Components: security Affects Versions: 0.95.0, 0.96.0, 0.94.6 Reporter: Jieshan Bean Assignee: Jieshan Bean Priority: Critical Fix For: 0.95.0, 0.98.0, 0.94.7 Attachments: HBASE-8213-94.patch, HBASE-8213-trunk.patch It depends on the order of which region be opened first. Suppose we have one 1 regionserver and only 1 user region REGION-A on this server, _acl_ region was on another regionserver. _acl_ was opened a few seconds before REGION-A. The global authorization data read from Zookeeper was overwritten by the data read from configuration. {code} private TableAuthManager(ZooKeeperWatcher watcher, Configuration conf) throws IOException { this.conf = conf; this.zkperms = new ZKPermissionWatcher(watcher, this, conf); try { // Read global authorization data from zookeeper. this.zkperms.start(); } catch (KeeperException ke) { LOG.error(ZooKeeper initialization failed, ke); } // It will overwrite globalCache. // initialize global permissions based on configuration globalCache = initGlobal(conf); } {code} This issue can be easily reproduced by below steps: 1. Start a cluster with 3 regionservers. 2. Create a new table T1. 3. grant a new user USER-A with global authorization. 4. Kill 1 regionserver RS3 and switch balance off. 5. Start regionserver RS3. 6. Assign region T1 to RS3. 7. Put data with user USER-A. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-8213) global authorization may lose efficacy
[ https://issues.apache.org/jira/browse/HBASE-8213?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Andrew Purtell updated HBASE-8213: -- Attachment: HBASE-8213-trunk.patch +1 on patch 0.94, new test fails if change in TableAuthManager is not applied. Attached a patch for trunk. TestAccessController passes locally for both 0.94 and trunk builds with patch applied. global authorization may lose efficacy --- Key: HBASE-8213 URL: https://issues.apache.org/jira/browse/HBASE-8213 Project: HBase Issue Type: Bug Components: security Affects Versions: 0.95.0, 0.96.0, 0.94.7 Reporter: Jieshan Bean Assignee: Jieshan Bean Priority: Critical Attachments: HBASE-8213-94.patch, HBASE-8213-trunk.patch It depends on the order of which region be opened first. Suppose we have one 1 regionserver and only 1 user region REGION-A on this server, _acl_ region was on another regionserver. _acl_ was opened a few seconds before REGION-A. The global authorization data read from Zookeeper was overwritten by the data read from configuration. {code} private TableAuthManager(ZooKeeperWatcher watcher, Configuration conf) throws IOException { this.conf = conf; this.zkperms = new ZKPermissionWatcher(watcher, this, conf); try { // Read global authorization data from zookeeper. this.zkperms.start(); } catch (KeeperException ke) { LOG.error(ZooKeeper initialization failed, ke); } // It will overwrite globalCache. // initialize global permissions based on configuration globalCache = initGlobal(conf); } {code} This issue can be easily reproduced by below steps: 1. Start a cluster with 3 regionservers. 2. Create a new table T1. 3. grant a new user USER-A with global authorization. 4. Kill 1 regionserver RS3 and switch balance off. 5. Start regionserver RS3. 6. Assign region T1 to RS3. 7. Put data with user USER-A. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-8213) global authorization may lose efficacy
[ https://issues.apache.org/jira/browse/HBASE-8213?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Andrew Purtell updated HBASE-8213: -- Status: Patch Available (was: Open) global authorization may lose efficacy --- Key: HBASE-8213 URL: https://issues.apache.org/jira/browse/HBASE-8213 Project: HBase Issue Type: Bug Components: security Affects Versions: 0.95.0, 0.96.0, 0.94.7 Reporter: Jieshan Bean Assignee: Jieshan Bean Priority: Critical Attachments: HBASE-8213-94.patch, HBASE-8213-trunk.patch It depends on the order of which region be opened first. Suppose we have one 1 regionserver and only 1 user region REGION-A on this server, _acl_ region was on another regionserver. _acl_ was opened a few seconds before REGION-A. The global authorization data read from Zookeeper was overwritten by the data read from configuration. {code} private TableAuthManager(ZooKeeperWatcher watcher, Configuration conf) throws IOException { this.conf = conf; this.zkperms = new ZKPermissionWatcher(watcher, this, conf); try { // Read global authorization data from zookeeper. this.zkperms.start(); } catch (KeeperException ke) { LOG.error(ZooKeeper initialization failed, ke); } // It will overwrite globalCache. // initialize global permissions based on configuration globalCache = initGlobal(conf); } {code} This issue can be easily reproduced by below steps: 1. Start a cluster with 3 regionservers. 2. Create a new table T1. 3. grant a new user USER-A with global authorization. 4. Kill 1 regionserver RS3 and switch balance off. 5. Start regionserver RS3. 6. Assign region T1 to RS3. 7. Put data with user USER-A. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-8213) global authorization may lose efficacy
[ https://issues.apache.org/jira/browse/HBASE-8213?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jieshan Bean updated HBASE-8213: Attachment: HBASE-8213-94.patch Patch for 94. global authorization may lose efficacy --- Key: HBASE-8213 URL: https://issues.apache.org/jira/browse/HBASE-8213 Project: HBase Issue Type: Bug Components: security Affects Versions: 0.95.0, 0.96.0, 0.94.7 Reporter: Jieshan Bean Assignee: Jieshan Bean Priority: Critical Attachments: HBASE-8213-94.patch It depends on the order of which region be opened first. Suppose we have one 1 regionserver and only 1 user region REGION-A on this server, _acl_ region was on another regionserver. _acl_ was opened a few seconds before REGION-A. The global authorization data read from Zookeeper was overwritten by the data read from configuration. {code} private TableAuthManager(ZooKeeperWatcher watcher, Configuration conf) throws IOException { this.conf = conf; this.zkperms = new ZKPermissionWatcher(watcher, this, conf); try { // Read global authorization data from zookeeper. this.zkperms.start(); } catch (KeeperException ke) { LOG.error(ZooKeeper initialization failed, ke); } // It will overwrite globalCache. // initialize global permissions based on configuration globalCache = initGlobal(conf); } {code} This issue can be easily reproduced by below steps: 1. Start a cluster with 3 regionservers. 2. Create a new table T1. 3. grant a new user USER-A with global authorization. 4. Kill 1 regionserver RS3 and switch balance off. 5. Start regionserver RS3. 6. Assign region T1 to RS3. 7. Put data with user USER-A. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HBASE-8213) global authorization may lose efficacy
[ https://issues.apache.org/jira/browse/HBASE-8213?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Andrew Purtell updated HBASE-8213: -- Component/s: security Affects Version/s: 0.94.7 0.96.0 0.95.0 global authorization may lose efficacy --- Key: HBASE-8213 URL: https://issues.apache.org/jira/browse/HBASE-8213 Project: HBase Issue Type: Bug Components: security Affects Versions: 0.95.0, 0.96.0, 0.94.7 Reporter: Jieshan Bean Assignee: Jieshan Bean Priority: Critical It depends on the order of which region be opened first. Suppose we have one 1 regionserver and only 1 user region REGION-A on this server, _acl_ region was on another regionserver. _acl_ was opened a few seconds before REGION-A. The global authorization data read from Zookeeper was overwritten by the data read from configuration. {code} private TableAuthManager(ZooKeeperWatcher watcher, Configuration conf) throws IOException { this.conf = conf; this.zkperms = new ZKPermissionWatcher(watcher, this, conf); try { // Read global authorization data from zookeeper. this.zkperms.start(); } catch (KeeperException ke) { LOG.error(ZooKeeper initialization failed, ke); } // It will overwrite globalCache. // initialize global permissions based on configuration globalCache = initGlobal(conf); } {code} This issue can be easily reproduced by below steps: 1. Start a cluster with 3 regionservers. 2. Create a new table T1. 3. grant a new user USER-A with global authorization. 4. Kill 1 regionserver RS3 and switch balance off. 5. Start regionserver RS3. 6. Assign region T1 to RS3. 7. Put data with user USER-A. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira