Uploaded image for project: 'HBase'
  1. HBase
  2. HBASE-17717

Incorrect ZK ACL set for HBase superuser

    XMLWordPrintableJSON

    Details

    • Hadoop Flags:
      Reviewed
    • Release Note:
      Hide
      In previous versions of HBase, the system intended to set a ZooKeeper ACL on all "sensitive" ZNodes for the user specified in the hbase.superuser configuration property. Unfortunately, the ACL was malformed which resulted in the hbase.superuser being unable to access the sensitive ZNodes that HBase creates. This JIRA issue fixes this bug. HBase will automatically correct the ACLs on start so users do not need to manually correct the ACLs.
      Show
      In previous versions of HBase, the system intended to set a ZooKeeper ACL on all "sensitive" ZNodes for the user specified in the hbase.superuser configuration property. Unfortunately, the ACL was malformed which resulted in the hbase.superuser being unable to access the sensitive ZNodes that HBase creates. This JIRA issue fixes this bug. HBase will automatically correct the ACLs on start so users do not need to manually correct the ACLs.

      Description

      Shreya was doing some testing of a deploy of HBase, verifying that the ZK ACLs were actually set as we expect (yay, security).

      She noticed that, in some cases, we were seeing multiple ACLs for the same user.

      'world,'anyone
      : r
      'sasl,'hbase
      : cdrwa
      'sasl,'hbase
      : cdrwa
      

      After digging into this (and some insight from the mighty Enis Soztutar), we realized that this was happening because of an overridden value for hbase.superuser. However, the ACL value doesn't match what we'd expect to see (as hbase.superuser was set to cstm-hbase).

      After digging into this code, it seems like the auth ACL scheme in ZooKeeper does not work as we expect.

            if (superUser != null) {
              acls.add(new ACL(Perms.ALL, new Id("auth", superUser)));
            }
      

      In the above, the "auth" scheme ignores any provided "subject" in the Id object. It only considers the authentication of the current connection. As such, our usage of this never actually sets the ACL for the superuser correctly.

        Attachments

        1. HBASE-17717.001.0.98.patch
          5 kB
          Josh Elser
        2. HBASE-17717.001.branch-1.1.patch
          5 kB
          Josh Elser
        3. HBASE-17717.001.patch
          5 kB
          Josh Elser

          Issue Links

            Activity

              People

              • Assignee:
                elserj Josh Elser
                Reporter:
                shreyabhatm@gmail.com Shreya Bhat
              • Votes:
                0 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: