[ https://issues.apache.org/jira/browse/HBASE-25432?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17253911#comment-17253911 ]
lujie edited comment on HBASE-25432 at 12/23/20, 6:44 AM: ---------------------------------------------------------- We also find that Hbck.fixMeta also lack of security check, non-admin can also fix the meta, below is log! 2020-12-23 06:26:20,947 INFO [RpcServer.default.FPBQ.Fifo.handler=28,queue=1,port=16000] master.MetaFixer: Fixed hole by adding \{ENCODED => e70948da53cc8a6ce7f7a270a53b884a, NAME => 'TestTable,00000000000000000000051557,1608704780922.e70948da53cc8a6ce7f7a270a53b884a.', STARTKEY => '00000000000000000000051557', ENDKEY => '00000000000000000000056244'}; region is NOT assigned (assign to online) it seems that one user can write region into other users' table! was (Author: xiaoheipangzi): We also find that Hbck.fixMeta also lack of security check, non-admin can also fix the meta, below is log! 2020-12-23 06:26:20,947 INFO [RpcServer.default.FPBQ.Fifo.handler=28,queue=1,port=16000] master.MetaFixer: Fixed hole by adding \{ENCODED => e70948da53cc8a6ce7f7a270a53b884a, NAME => 'TestTable,00000000000000000000051557,1608704780922.e70948da53cc8a6ce7f7a270a53b884a.', STARTKEY => '00000000000000000000051557', ENDKEY => '00000000000000000000056244'}; region is NOT assigned (assign to online) > we should add security checks for setTableStateInMeta > ----------------------------------------------------- > > Key: HBASE-25432 > URL: https://issues.apache.org/jira/browse/HBASE-25432 > Project: HBase > Issue Type: Bug > Reporter: lujie > Priority: Blocker > Fix For: 3.0.0-alpha-1, 1.7.0, 2.3.4, 2.5.0, 2.4.1 > > -- This message was sent by Atlassian Jira (v8.3.4#803005)