Uploaded image for project: 'HBase'
  1. HBase
  2. HBASE-15873

ACL for snapshot restore / clone is not enforced

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 1.1.0
    • Fix Version/s: 1.3.0, 1.2.2, 0.98.20, 1.1.6
    • Component/s: None
    • Labels:
      None
    • Hadoop Flags:
      Reviewed

      Description

      Romil Choksi reported that snapshot owner couldn't restore snapshot on hbase 1.1
      We saw the following in master log:

      2016-05-20 00:22:17,186 DEBUG [B.defaultRpcServer.handler=23,queue=2,port=20000] ipc.RpcServer: B.defaultRpcServer.handler=23,queue=2,port=20000: callId: 15 service:             MasterService methodName: RestoreSnapshot size: 70 connection: x.y:56508
      org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user 'hrt_1' (global, action=ADMIN)
        at org.apache.hadoop.hbase.security.access.AccessController.requireGlobalPermission(AccessController.java:536)
        at org.apache.hadoop.hbase.security.access.AccessController.requirePermission(AccessController.java:512)
        at org.apache.hadoop.hbase.security.access.AccessController.preRestoreSnapshot(AccessController.java:1327)
        at org.apache.hadoop.hbase.master.MasterCoprocessorHost$73.call(MasterCoprocessorHost.java:881)
        at org.apache.hadoop.hbase.master.MasterCoprocessorHost.execOperation(MasterCoprocessorHost.java:1146)
        at org.apache.hadoop.hbase.master.MasterCoprocessorHost.preRestoreSnapshot(MasterCoprocessorHost.java:877)
        at org.apache.hadoop.hbase.master.snapshot.SnapshotManager.restoreSnapshot(SnapshotManager.java:726)
      

      After adding some debug information, it turned out that the (request) SnapshotDescription passed to the method doesn't have owner set.

      This problem doesn't exist in master branch.

        Attachments

          Activity

            People

            • Assignee:
              yuzhihong@gmail.com Ted Yu
              Reporter:
              yuzhihong@gmail.com Ted Yu
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: