[
https://issues.apache.org/jira/browse/HBASE-25432?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17253911#comment-17253911
]
lujie edited comment on HBASE-25432 at 12/23/20, 6:44 AM:
----------------------------------------------------------
We also find that Hbck.fixMeta also lack of security check, non-admin can also
fix the meta, below is log!
2020-12-23 06:26:20,947 INFO
[RpcServer.default.FPBQ.Fifo.handler=28,queue=1,port=16000] master.MetaFixer:
Fixed hole by adding \{ENCODED => e70948da53cc8a6ce7f7a270a53b884a, NAME =>
'TestTable,00000000000000000000051557,1608704780922.e70948da53cc8a6ce7f7a270a53b884a.',
STARTKEY => '00000000000000000000051557', ENDKEY =>
'00000000000000000000056244'}; region is NOT assigned (assign to online)
it seems that one user can write region into other users' table!
was (Author: xiaoheipangzi):
We also find that Hbck.fixMeta also lack of security check, non-admin can also
fix the meta, below is log!
2020-12-23 06:26:20,947 INFO
[RpcServer.default.FPBQ.Fifo.handler=28,queue=1,port=16000] master.MetaFixer:
Fixed hole by adding \{ENCODED => e70948da53cc8a6ce7f7a270a53b884a, NAME =>
'TestTable,00000000000000000000051557,1608704780922.e70948da53cc8a6ce7f7a270a53b884a.',
STARTKEY => '00000000000000000000051557', ENDKEY =>
'00000000000000000000056244'}; region is NOT assigned (assign to online)
> we should add security checks for setTableStateInMeta
> -----------------------------------------------------
>
> Key: HBASE-25432
> URL: https://issues.apache.org/jira/browse/HBASE-25432
> Project: HBase
> Issue Type: Bug
> Reporter: lujie
> Priority: Blocker
> Fix For: 3.0.0-alpha-1, 1.7.0, 2.3.4, 2.5.0, 2.4.1
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
