Shibin Zhang created HBASE-18323:
------------------------------------
Summary: Remove multiple ACLs for the same user in kerberos
Key: HBASE-18323
URL: https://issues.apache.org/jira/browse/HBASE-18323
Project: HBase
Issue Type: Bug
Affects Versions: 3.0.0
Reporter: Shibin Zhang
Priority: Critical
When deploy hbase in kerberos way ,there will be multiple acls in znode :
'world,'anyone
: r
'sasl,'hbase
: cdrwa
'sasl,'hbase
: cdrwa
I also see the related issue and apply the patch, like
https://issues.apache.org/jira/browse/HBASE-17717
but in my environment ,this situation still appear,
After dig into the code , i found the reason in source code ZKUtil.createAcl
is
if (zkw.isClientReadable(node)) {
LOG.error("isSecureZooKeeper user: clientReadable");
acls.addAll(Ids.CREATOR_ALL_ACL);
acls.addAll(Ids.READ_ACL_UNSAFE);
} else {
LOG.error("isSecureZooKeeper user: clientReadable no");
acls.addAll(Ids.CREATOR_ALL_ACL);
}
acls.addAll(Ids.CREATOR_ALL_ACL);
Id AUTH_IDS = new Id("auth", "");
ArrayList<ACL> CREATOR_ALL_ACL = new ArrayList(Collections.singletonList(new
ACL(31, AUTH_IDS)));
AUTH_IDS with "auth " will result current connection auth user add to
znode acl ,
so it will appear multiple acls for same users.
I think this line of code we can remove : acls.addAll(Ids.CREATOR_ALL_ACL);
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
