[jira] [Updated] (HBASE-9973) [ACL]: Users with 'Admin' ACL permission will lose permissions after upgrade to 0.96.x from 0.94.x or 0.92.x
[ https://issues.apache.org/jira/browse/HBASE-9973?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Matteo Bertozzi updated HBASE-9973: --- Resolution: Fixed Fix Version/s: 0.98.0 Status: Resolved (was: Patch Available) committed to trunk and 96, thanks for the patch and the reviews! > [ACL]: Users with 'Admin' ACL permission will lose permissions after upgrade > to 0.96.x from 0.94.x or 0.92.x > > > Key: HBASE-9973 > URL: https://issues.apache.org/jira/browse/HBASE-9973 > Project: HBase > Issue Type: Bug > Components: migration, security >Affects Versions: 0.96.0, 0.96.1 >Reporter: Aleksandr Shulman >Assignee: Himanshu Vashishtha > Labels: acl > Fix For: 0.98.0, 0.96.1 > > Attachments: 9973-v2.patch, 9973-v2.patch, 9973.patch > > > In our testing, we have uncovered that the ACL permissions for users with the > 'A' credential do not hold after the upgrade to 0.96.x. > This is because in the ACL table, the entry for the admin user is a > permission on the '_acl_' table with permission 'A'. However, because of the > namespace transition, there is no longer an '_acl_' table. Therefore, that > entry in the hbase:acl table is no longer valid. > Example: > {code}hbase(main):002:0> scan 'hbase:acl' > ROW COLUMN+CELL > > TestTablecolumn=l:hdfs, timestamp=1384454830701, value=RW > > TestTablecolumn=l:root, timestamp=1384455875586, value=RWCA > > _acl_column=l:root, timestamp=1384454767568, value=C > > _acl_column=l:tableAdmin, timestamp=1384454788035, value=A > > hbase:aclcolumn=l:root, timestamp=1384455875786, value=C > > {code} > In this case, the following entry becomes meaningless: > {code} _acl_column=l:tableAdmin, timestamp=1384454788035, > value=A {code} > As a result, > Proposed fix: > I see the fix being relatively straightforward. As part of the migration, > change any entries in the '_acl_' table with key '_acl_' into a new row with > key 'hbase:acl', all else being the same. And the old entry would be deleted. > This can go into the standard migration script that we expect users to run. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Updated] (HBASE-9973) [ACL]: Users with 'Admin' ACL permission will lose permissions after upgrade to 0.96.x from 0.94.x or 0.92.x
[ https://issues.apache.org/jira/browse/HBASE-9973?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Himanshu Vashishtha updated HBASE-9973: --- Component/s: migration > [ACL]: Users with 'Admin' ACL permission will lose permissions after upgrade > to 0.96.x from 0.94.x or 0.92.x > > > Key: HBASE-9973 > URL: https://issues.apache.org/jira/browse/HBASE-9973 > Project: HBase > Issue Type: Bug > Components: migration, security >Affects Versions: 0.96.0, 0.96.1 >Reporter: Aleksandr Shulman >Assignee: Himanshu Vashishtha > Labels: acl > Fix For: 0.96.1 > > Attachments: 9973-v2.patch, 9973-v2.patch, 9973.patch > > > In our testing, we have uncovered that the ACL permissions for users with the > 'A' credential do not hold after the upgrade to 0.96.x. > This is because in the ACL table, the entry for the admin user is a > permission on the '_acl_' table with permission 'A'. However, because of the > namespace transition, there is no longer an '_acl_' table. Therefore, that > entry in the hbase:acl table is no longer valid. > Example: > {code}hbase(main):002:0> scan 'hbase:acl' > ROW COLUMN+CELL > > TestTablecolumn=l:hdfs, timestamp=1384454830701, value=RW > > TestTablecolumn=l:root, timestamp=1384455875586, value=RWCA > > _acl_column=l:root, timestamp=1384454767568, value=C > > _acl_column=l:tableAdmin, timestamp=1384454788035, value=A > > hbase:aclcolumn=l:root, timestamp=1384455875786, value=C > > {code} > In this case, the following entry becomes meaningless: > {code} _acl_column=l:tableAdmin, timestamp=1384454788035, > value=A {code} > As a result, > Proposed fix: > I see the fix being relatively straightforward. As part of the migration, > change any entries in the '_acl_' table with key '_acl_' into a new row with > key 'hbase:acl', all else being the same. And the old entry would be deleted. > This can go into the standard migration script that we expect users to run. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Updated] (HBASE-9973) [ACL]: Users with 'Admin' ACL permission will lose permissions after upgrade to 0.96.x from 0.94.x or 0.92.x
[ https://issues.apache.org/jira/browse/HBASE-9973?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Himanshu Vashishtha updated HBASE-9973: --- Attachment: 9973-v2.patch > [ACL]: Users with 'Admin' ACL permission will lose permissions after upgrade > to 0.96.x from 0.94.x or 0.92.x > > > Key: HBASE-9973 > URL: https://issues.apache.org/jira/browse/HBASE-9973 > Project: HBase > Issue Type: Bug > Components: security >Affects Versions: 0.96.0, 0.96.1 >Reporter: Aleksandr Shulman >Assignee: Himanshu Vashishtha > Labels: acl > Fix For: 0.96.1 > > Attachments: 9973-v2.patch, 9973-v2.patch, 9973.patch > > > In our testing, we have uncovered that the ACL permissions for users with the > 'A' credential do not hold after the upgrade to 0.96.x. > This is because in the ACL table, the entry for the admin user is a > permission on the '_acl_' table with permission 'A'. However, because of the > namespace transition, there is no longer an '_acl_' table. Therefore, that > entry in the hbase:acl table is no longer valid. > Example: > {code}hbase(main):002:0> scan 'hbase:acl' > ROW COLUMN+CELL > > TestTablecolumn=l:hdfs, timestamp=1384454830701, value=RW > > TestTablecolumn=l:root, timestamp=1384455875586, value=RWCA > > _acl_column=l:root, timestamp=1384454767568, value=C > > _acl_column=l:tableAdmin, timestamp=1384454788035, value=A > > hbase:aclcolumn=l:root, timestamp=1384455875786, value=C > > {code} > In this case, the following entry becomes meaningless: > {code} _acl_column=l:tableAdmin, timestamp=1384454788035, > value=A {code} > As a result, > Proposed fix: > I see the fix being relatively straightforward. As part of the migration, > change any entries in the '_acl_' table with key '_acl_' into a new row with > key 'hbase:acl', all else being the same. And the old entry would be deleted. > This can go into the standard migration script that we expect users to run. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Updated] (HBASE-9973) [ACL]: Users with 'Admin' ACL permission will lose permissions after upgrade to 0.96.x from 0.94.x or 0.92.x
[ https://issues.apache.org/jira/browse/HBASE-9973?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Himanshu Vashishtha updated HBASE-9973: --- Attachment: 9973-v2.patch > [ACL]: Users with 'Admin' ACL permission will lose permissions after upgrade > to 0.96.x from 0.94.x or 0.92.x > > > Key: HBASE-9973 > URL: https://issues.apache.org/jira/browse/HBASE-9973 > Project: HBase > Issue Type: Bug > Components: security >Affects Versions: 0.96.0, 0.96.1 >Reporter: Aleksandr Shulman >Assignee: Himanshu Vashishtha > Labels: acl > Fix For: 0.96.1 > > Attachments: 9973-v2.patch, 9973.patch > > > In our testing, we have uncovered that the ACL permissions for users with the > 'A' credential do not hold after the upgrade to 0.96.x. > This is because in the ACL table, the entry for the admin user is a > permission on the '_acl_' table with permission 'A'. However, because of the > namespace transition, there is no longer an '_acl_' table. Therefore, that > entry in the hbase:acl table is no longer valid. > Example: > {code}hbase(main):002:0> scan 'hbase:acl' > ROW COLUMN+CELL > > TestTablecolumn=l:hdfs, timestamp=1384454830701, value=RW > > TestTablecolumn=l:root, timestamp=1384455875586, value=RWCA > > _acl_column=l:root, timestamp=1384454767568, value=C > > _acl_column=l:tableAdmin, timestamp=1384454788035, value=A > > hbase:aclcolumn=l:root, timestamp=1384455875786, value=C > > {code} > In this case, the following entry becomes meaningless: > {code} _acl_column=l:tableAdmin, timestamp=1384454788035, > value=A {code} > As a result, > Proposed fix: > I see the fix being relatively straightforward. As part of the migration, > change any entries in the '_acl_' table with key '_acl_' into a new row with > key 'hbase:acl', all else being the same. And the old entry would be deleted. > This can go into the standard migration script that we expect users to run. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Updated] (HBASE-9973) [ACL]: Users with 'Admin' ACL permission will lose permissions after upgrade to 0.96.x from 0.94.x or 0.92.x
[ https://issues.apache.org/jira/browse/HBASE-9973?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Himanshu Vashishtha updated HBASE-9973: --- Status: Patch Available (was: Open) > [ACL]: Users with 'Admin' ACL permission will lose permissions after upgrade > to 0.96.x from 0.94.x or 0.92.x > > > Key: HBASE-9973 > URL: https://issues.apache.org/jira/browse/HBASE-9973 > Project: HBase > Issue Type: Bug > Components: security >Affects Versions: 0.96.0, 0.96.1 >Reporter: Aleksandr Shulman >Assignee: Himanshu Vashishtha > Labels: acl > Fix For: 0.96.1 > > Attachments: 9973.patch > > > In our testing, we have uncovered that the ACL permissions for users with the > 'A' credential do not hold after the upgrade to 0.96.x. > This is because in the ACL table, the entry for the admin user is a > permission on the '_acl_' table with permission 'A'. However, because of the > namespace transition, there is no longer an '_acl_' table. Therefore, that > entry in the hbase:acl table is no longer valid. > Example: > {code}hbase(main):002:0> scan 'hbase:acl' > ROW COLUMN+CELL > > TestTablecolumn=l:hdfs, timestamp=1384454830701, value=RW > > TestTablecolumn=l:root, timestamp=1384455875586, value=RWCA > > _acl_column=l:root, timestamp=1384454767568, value=C > > _acl_column=l:tableAdmin, timestamp=1384454788035, value=A > > hbase:aclcolumn=l:root, timestamp=1384455875786, value=C > > {code} > In this case, the following entry becomes meaningless: > {code} _acl_column=l:tableAdmin, timestamp=1384454788035, > value=A {code} > As a result, > Proposed fix: > I see the fix being relatively straightforward. As part of the migration, > change any entries in the '_acl_' table with key '_acl_' into a new row with > key 'hbase:acl', all else being the same. And the old entry would be deleted. > This can go into the standard migration script that we expect users to run. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Updated] (HBASE-9973) [ACL]: Users with 'Admin' ACL permission will lose permissions after upgrade to 0.96.x from 0.94.x or 0.92.x
[ https://issues.apache.org/jira/browse/HBASE-9973?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Himanshu Vashishtha updated HBASE-9973: --- Attachment: 9973.patch > [ACL]: Users with 'Admin' ACL permission will lose permissions after upgrade > to 0.96.x from 0.94.x or 0.92.x > > > Key: HBASE-9973 > URL: https://issues.apache.org/jira/browse/HBASE-9973 > Project: HBase > Issue Type: Bug > Components: security >Affects Versions: 0.96.0, 0.96.1 >Reporter: Aleksandr Shulman >Assignee: Himanshu Vashishtha > Labels: acl > Fix For: 0.96.1 > > Attachments: 9973.patch > > > In our testing, we have uncovered that the ACL permissions for users with the > 'A' credential do not hold after the upgrade to 0.96.x. > This is because in the ACL table, the entry for the admin user is a > permission on the '_acl_' table with permission 'A'. However, because of the > namespace transition, there is no longer an '_acl_' table. Therefore, that > entry in the hbase:acl table is no longer valid. > Example: > {code}hbase(main):002:0> scan 'hbase:acl' > ROW COLUMN+CELL > > TestTablecolumn=l:hdfs, timestamp=1384454830701, value=RW > > TestTablecolumn=l:root, timestamp=1384455875586, value=RWCA > > _acl_column=l:root, timestamp=1384454767568, value=C > > _acl_column=l:tableAdmin, timestamp=1384454788035, value=A > > hbase:aclcolumn=l:root, timestamp=1384455875786, value=C > > {code} > In this case, the following entry becomes meaningless: > {code} _acl_column=l:tableAdmin, timestamp=1384454788035, > value=A {code} > As a result, > Proposed fix: > I see the fix being relatively straightforward. As part of the migration, > change any entries in the '_acl_' table with key '_acl_' into a new row with > key 'hbase:acl', all else being the same. And the old entry would be deleted. > This can go into the standard migration script that we expect users to run. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Updated] (HBASE-9973) [ACL]: Users with 'Admin' ACL permission will lose permissions after upgrade to 0.96.x from 0.94.x or 0.92.x
[ https://issues.apache.org/jira/browse/HBASE-9973?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Aleksandr Shulman updated HBASE-9973: - Assignee: Himanshu Vashishtha > [ACL]: Users with 'Admin' ACL permission will lose permissions after upgrade > to 0.96.x from 0.94.x or 0.92.x > > > Key: HBASE-9973 > URL: https://issues.apache.org/jira/browse/HBASE-9973 > Project: HBase > Issue Type: Bug > Components: security >Affects Versions: 0.96.0, 0.96.1 >Reporter: Aleksandr Shulman >Assignee: Himanshu Vashishtha > Labels: acl > Fix For: 0.96.1 > > > In our testing, we have uncovered that the ACL permissions for users with the > 'A' credential do not hold after the upgrade to 0.96.x. > This is because in the ACL table, the entry for the admin user is a > permission on the '_acl_' table with permission 'A'. However, because of the > namespace transition, there is no longer an '_acl_' table. Therefore, that > entry in the hbase:acl table is no longer valid. > Example: > {code}hbase(main):002:0> scan 'hbase:acl' > ROW COLUMN+CELL > > TestTablecolumn=l:hdfs, timestamp=1384454830701, value=RW > > TestTablecolumn=l:root, timestamp=1384455875586, value=RWCA > > _acl_column=l:root, timestamp=1384454767568, value=C > > _acl_column=l:tableAdmin, timestamp=1384454788035, value=A > > hbase:aclcolumn=l:root, timestamp=1384455875786, value=C > > {code} > In this case, the following entry becomes meaningless: > {code} _acl_column=l:tableAdmin, timestamp=1384454788035, > value=A {code} > As a result, > Proposed fix: > I see the fix being relatively straightforward. As part of the migration, > change any entries in the '_acl_' table with key '_acl_' into a new row with > key 'hbase:acl', all else being the same. And the old entry would be deleted. > This can go into the standard migration script that we expect users to run. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Updated] (HBASE-9973) [ACL]: Users with 'Admin' ACL permission will lose permissions after upgrade to 0.96.x from 0.94.x or 0.92.x
[ https://issues.apache.org/jira/browse/HBASE-9973?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Aleksandr Shulman updated HBASE-9973: - Labels: acl (was: ) > [ACL]: Users with 'Admin' ACL permission will lose permissions after upgrade > to 0.96.x from 0.94.x or 0.92.x > > > Key: HBASE-9973 > URL: https://issues.apache.org/jira/browse/HBASE-9973 > Project: HBase > Issue Type: Bug > Components: security >Affects Versions: 0.96.0, 0.96.1 >Reporter: Aleksandr Shulman > Labels: acl > Fix For: 0.96.1 > > > In our testing, we have uncovered that the ACL permissions for users with the > 'A' credential do not hold after the upgrade to 0.96.x. > This is because in the ACL table, the entry for the admin user is a > permission on the '_acl_' table with permission 'A'. However, because of the > namespace transition, there is no longer an '_acl_' table. Therefore, that > entry in the hbase:acl table is no longer valid. > Example: > {code}hbase(main):002:0> scan 'hbase:acl' > ROW COLUMN+CELL > > TestTablecolumn=l:hdfs, timestamp=1384454830701, value=RW > > TestTablecolumn=l:root, timestamp=1384455875586, value=RWCA > > _acl_column=l:root, timestamp=1384454767568, value=C > > _acl_column=l:tableAdmin, timestamp=1384454788035, value=A > > hbase:aclcolumn=l:root, timestamp=1384455875786, value=C > > {code} > In this case, the following entry becomes meaningless: > {code} _acl_column=l:tableAdmin, timestamp=1384454788035, > value=A {code} > As a result, > Proposed fix: > I see the fix being relatively straightforward. As part of the migration, > change any entries in the '_acl_' table with key '_acl_' into a new row with > key 'hbase:acl', all else being the same. And the old entry would be deleted. > This can go into the standard migration script that we expect users to run. -- This message was sent by Atlassian JIRA (v6.1#6144)