Details
Description
When deploy hbase in kerberos way ,there will be multiple acls in znode :
'world,'anyone
: r
'sasl,'hbase
: cdrwa
'sasl,'hbase
: cdrwa
I also see the related issue and apply the patch, like https://issues.apache.org/jira/browse/HBASE-17717
but in my environment ,this situation still appear,
After dig into the code , i found the reason in source code ZKUtil.createAcl is
if (zkw.isClientReadable(node))
{ LOG.error("isSecureZooKeeper user: clientReadable"); acls.addAll(Ids.CREATOR_ALL_ACL); acls.addAll(Ids.READ_ACL_UNSAFE); }else
{ LOG.error("isSecureZooKeeper user: clientReadable no"); acls.addAll(Ids.CREATOR_ALL_ACL); }
acls.addAll(Ids.CREATOR_ALL_ACL);
Id AUTH_IDS = new Id("auth", "");
ArrayList<ACL> CREATOR_ALL_ACL = new ArrayList(Collections.singletonList(new ACL(31, AUTH_IDS)));
AUTH_IDS with "auth " will result current connection auth user add to znode acl ,
so it will appear multiple acls for same users.
I think this line of code we can remove : acls.addAll(Ids.CREATOR_ALL_ACL);
Attachments
Attachments
Issue Links
- is related to
-
HBASE-17717 Incorrect ZK ACL set for HBase superuser
- Resolved