[HBASE-13768] ZooKeeper znodes are bootstrapped with insecure ACLs in a secure configuration - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Blocker
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 0.98.13, 1.0.2, 1.2.0, 1.1.1, 0.98.12.1, 1.0.1.1, 1.1.0.1, 2.0.0
Component/s: security, Zookeeper
Labels:
None

Hadoop Flags:

Reviewed

Description

A logic error causes HBase in most secure configuration deployments to handle its coordination state in ZooKeeper via insecure ACLs. Anyone with remote unauthenticated network access to the ZooKeeper quorum, which by definition includes all HBase clients, can make use of this opening to violate the operational integrity of the system. For example, critical znodes can be deleted, causing outages. It is possible to introduce rogue replication endpoints. It is possible to direct the distributed log splitting facility to split arbitrary files in HDFS.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

HBASE-13768_v1.patch
26/May/15 19:12
12 kB
Enis Soztutar
HBASE-13768_v1-addendum-branch-1.0.patch
02/Jun/15 21:14
2 kB
Enis Soztutar
HBASE-13768_v2.patch
26/May/15 20:16
24 kB
Enis Soztutar
HBASE-13768_v3.patch
26/May/15 21:55
24 kB
Enis Soztutar
HBASE-13768_v4.patch
27/May/15 03:07
24 kB
Enis Soztutar
HBASE-13768-0.98.patch
27/May/15 20:04
25 kB
Andrew Kyle Purtell
HBASE-13768-branch-1.0.patch
27/May/15 20:04
25 kB
Andrew Kyle Purtell
HBASE-13768-branch-1.patch
27/May/15 20:04
25 kB
Andrew Kyle Purtell

Issue Links

incorporates

HBASE-13769 Some ZK ACLs are unnecessarily permissive

Closed

links to

user@hbase announce for CVE-2015-1836

Activity

People

Assignee:: Enis Soztutar

Reporter:: Andrew Kyle Purtell

Votes:: 0 Vote for this issue

Watchers:: 9 Start watching this issue

Dates

Created:: 25/May/15 16:44

Updated:: 20/Nov/15 07:23

Resolved:: 27/May/15 20:14