[
https://issues.apache.org/jira/browse/HBASE-18323?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Gavin updated HBASE-18323:
--------------------------
Comment: was deleted
(was: A comment with security level 'jira-users' was removed.)
> Remove multiple ACLs for the same user in kerberos
> --------------------------------------------------
>
> Key: HBASE-18323
> URL: https://issues.apache.org/jira/browse/HBASE-18323
> Project: HBase
> Issue Type: Bug
> Affects Versions: 1.2.0, 3.0.0
> Reporter: Shibin Zhang
> Assignee: Shibin Zhang
> Priority: Minor
> Fix For: 1.4.0, 2.0.0
>
> Attachments: HBASE-18323-V2.patch, HBASE-18323-V3.patch,
> HBASE-18323-V4.patch, HBASE-18323-V5.patch, HBASE-18323.patch
>
>
> When deploy hbase in kerberos way ,there will be multiple acls in znode :
> 'world,'anyone
> : r
> 'sasl,'hbase
> : cdrwa
> 'sasl,'hbase
> : cdrwa
> I also see the related issue and apply the patch, like
> https://issues.apache.org/jira/browse/HBASE-17717
> but in my environment ,this situation still appear,
> After dig into the code , i found the reason in source code ZKUtil.createAcl
> is
> if (zkw.isClientReadable(node)) {
> LOG.error("isSecureZooKeeper user: clientReadable");
> acls.addAll(Ids.CREATOR_ALL_ACL);
> acls.addAll(Ids.READ_ACL_UNSAFE);
> } else {
> LOG.error("isSecureZooKeeper user: clientReadable no");
> acls.addAll(Ids.CREATOR_ALL_ACL);
> }
> acls.addAll(Ids.CREATOR_ALL_ACL);
>
> Id AUTH_IDS = new Id("auth", "");
> ArrayList<ACL> CREATOR_ALL_ACL = new ArrayList(Collections.singletonList(new
> ACL(31, AUTH_IDS)));
> AUTH_IDS with "auth " will result current connection auth user add to
> znode acl ,
> so it will appear multiple acls for same users.
> I think this line of code we can remove :
> acls.addAll(Ids.CREATOR_ALL_ACL);
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
