Uploaded image for project: 'HBase'
  1. HBase
  2. HBASE-18323

Remove multiple ACLs for the same user in kerberos

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 1.2.0, 3.0.0
    • Fix Version/s: 1.4.0, 2.0.0
    • Component/s: None
    • Labels:
      None
    • Hadoop Flags:
      Reviewed

      Description

      When deploy hbase in kerberos way ,there will be multiple acls in znode :
      'world,'anyone
      : r
      'sasl,'hbase
      : cdrwa
      'sasl,'hbase
      : cdrwa

      I also see the related issue and apply the patch, like https://issues.apache.org/jira/browse/HBASE-17717
      but in my environment ,this situation still appear,

      After dig into the code , i found the reason in source code ZKUtil.createAcl is

      if (zkw.isClientReadable(node))

      { LOG.error("isSecureZooKeeper user: clientReadable"); acls.addAll(Ids.CREATOR_ALL_ACL); acls.addAll(Ids.READ_ACL_UNSAFE); }

      else

      { LOG.error("isSecureZooKeeper user: clientReadable no"); acls.addAll(Ids.CREATOR_ALL_ACL); }

      acls.addAll(Ids.CREATOR_ALL_ACL);

      Id AUTH_IDS = new Id("auth", "");

      ArrayList<ACL> CREATOR_ALL_ACL = new ArrayList(Collections.singletonList(new ACL(31, AUTH_IDS)));

      AUTH_IDS with "auth " will result current connection auth user add to znode acl ,
      so it will appear multiple acls for same users.

      I think this line of code we can remove : acls.addAll(Ids.CREATOR_ALL_ACL);

        Attachments

        1. HBASE-18323.patch
          1 kB
          Shibin Zhang
        2. HBASE-18323-V2.patch
          3 kB
          Shibin Zhang
        3. HBASE-18323-V3.patch
          3 kB
          Shibin Zhang
        4. HBASE-18323-V4.patch
          5 kB
          Shibin Zhang
        5. HBASE-18323-V5.patch
          5 kB
          Shibin Zhang

          Issue Links

            Activity

              People

              • Assignee:
                zhangshibin Shibin Zhang
                Reporter:
                zhangshibin Shibin Zhang
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: