Details
Description
Shreya was doing some testing of a deploy of HBase, verifying that the ZK ACLs were actually set as we expect (yay, security).
She noticed that, in some cases, we were seeing multiple ACLs for the same user.
'world,'anyone : r 'sasl,'hbase : cdrwa 'sasl,'hbase : cdrwa
After digging into this (and some insight from the mighty enis), we realized that this was happening because of an overridden value for hbase.superuser. However, the ACL value doesn't match what we'd expect to see (as hbase.superuser was set to cstm-hbase).
After digging into this code, it seems like the auth ACL scheme in ZooKeeper does not work as we expect.
if (superUser != null) { acls.add(new ACL(Perms.ALL, new Id("auth", superUser))); }
In the above, the "auth" scheme ignores any provided "subject" in the Id object. It only considers the authentication of the current connection. As such, our usage of this never actually sets the ACL for the superuser correctly.
Attachments
Attachments
Issue Links
- relates to
-
HBASE-18323 Remove multiple ACLs for the same user in kerberos
- Resolved
-
ZOOKEEPER-2709 Clarify documentation around "auth" ACL scheme
- Closed