Uploaded image for project: 'HBase'
  1. HBase
  2. HBASE-17717

Incorrect ZK ACL set for HBase superuser

    XMLWordPrintableJSON

Details

    • Reviewed
    • Hide
      In previous versions of HBase, the system intended to set a ZooKeeper ACL on all "sensitive" ZNodes for the user specified in the hbase.superuser configuration property. Unfortunately, the ACL was malformed which resulted in the hbase.superuser being unable to access the sensitive ZNodes that HBase creates. This JIRA issue fixes this bug. HBase will automatically correct the ACLs on start so users do not need to manually correct the ACLs.
      Show
      In previous versions of HBase, the system intended to set a ZooKeeper ACL on all "sensitive" ZNodes for the user specified in the hbase.superuser configuration property. Unfortunately, the ACL was malformed which resulted in the hbase.superuser being unable to access the sensitive ZNodes that HBase creates. This JIRA issue fixes this bug. HBase will automatically correct the ACLs on start so users do not need to manually correct the ACLs.

    Description

      Shreya was doing some testing of a deploy of HBase, verifying that the ZK ACLs were actually set as we expect (yay, security).

      She noticed that, in some cases, we were seeing multiple ACLs for the same user.

      'world,'anyone
: r
'sasl,'hbase
: cdrwa
'sasl,'hbase
: cdrwa

      After digging into this (and some insight from the mighty enis), we realized that this was happening because of an overridden value for hbase.superuser. However, the ACL value doesn't match what we'd expect to see (as hbase.superuser was set to cstm-hbase).

      After digging into this code, it seems like the auth ACL scheme in ZooKeeper does not work as we expect.

            if (superUser != null) {
        acls.add(new ACL(Perms.ALL, new Id("auth", superUser)));
      }

      In the above, the "auth" scheme ignores any provided "subject" in the Id object. It only considers the authentication of the current connection. As such, our usage of this never actually sets the ACL for the superuser correctly.

      Attachments

        1. HBASE-17717.001.0.98.patch
          5 kB
          Josh Elser
        2. HBASE-17717.001.branch-1.1.patch
          5 kB
          Josh Elser
        3. HBASE-17717.001.patch
          5 kB
          Josh Elser

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. HBASE-18323 Remove multiple ACLs for the same user in kerberos

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Task - A task that needs to be done. ZOOKEEPER-2709 Clarify documentation around "auth" ACL scheme

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed

          Activity

            People

              elserj Josh Elser
              shreyabhatm@gmail.com Shreya Bhat
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: