Shibin Zhang created HBASE-18323: ------------------------------------ Summary: Remove multiple ACLs for the same user in kerberos Key: HBASE-18323 URL: https://issues.apache.org/jira/browse/HBASE-18323 Project: HBase Issue Type: Bug Affects Versions: 3.0.0 Reporter: Shibin Zhang Priority: Critical
When deploy hbase in kerberos way ,there will be multiple acls in znode : 'world,'anyone : r 'sasl,'hbase : cdrwa 'sasl,'hbase : cdrwa I also see the related issue and apply the patch, like https://issues.apache.org/jira/browse/HBASE-17717 but in my environment ,this situation still appear, After dig into the code , i found the reason in source code ZKUtil.createAcl is if (zkw.isClientReadable(node)) { LOG.error("isSecureZooKeeper user: clientReadable"); acls.addAll(Ids.CREATOR_ALL_ACL); acls.addAll(Ids.READ_ACL_UNSAFE); } else { LOG.error("isSecureZooKeeper user: clientReadable no"); acls.addAll(Ids.CREATOR_ALL_ACL); } acls.addAll(Ids.CREATOR_ALL_ACL); Id AUTH_IDS = new Id("auth", ""); ArrayList<ACL> CREATOR_ALL_ACL = new ArrayList(Collections.singletonList(new ACL(31, AUTH_IDS))); AUTH_IDS with "auth " will result current connection auth user add to znode acl , so it will appear multiple acls for same users. I think this line of code we can remove : acls.addAll(Ids.CREATOR_ALL_ACL); -- This message was sent by Atlassian JIRA (v6.4.14#64029)