Uploaded image for project: 'HBase'
  1. HBase
  2. HBASE-24184

Backport HBASE-23896 to branch-1: Snapshot owner cannot delete snapshot when ACL is enabled and Kerberos is not enabled

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.7.0
    • Component/s: snapshots
    • Labels:
      None

      Description

      For the owner of snapshots(not global admin user), currently list_snapshots returns empty if i just use simple acls for authorization but not use authentication.

      The code in AccessController.preListSnapshot:

      if (SnapshotDescriptionUtils.isSnapshotOwner(snapshot, user)) {
      // list it, if user is the owner of snapshot
      AuthResult result = AuthResult.allow("listSnapshot " + snapshot.getName(),
      "Snapshot owner check allowed", user, null, null, null);
      accessChecker.logResult(result);
      }

      And SnapshotManager.takeSnapshotInternal:

      if (User.isHBaseSecurityEnabled(master.getConfiguration()) && user != null) {
        builder.setOwner(user.getShortName());
      }
      

      User.isHBaseSecurityEnabled´╝Ü

      public static boolean isHBaseSecurityEnabled(Configuration conf) {
        return "kerberos".equalsIgnoreCase(conf.get(HBASE_SECURITY_CONF_KEY));
      }
      

      So i think the logic of setOwner is used for authorization, not authentication, SnapshotManager should not only setOwner when hbase.security.authentication = kerberos, which cause listSnapshots returns empty when i just use simple acls.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                tangtianhang tianhang tang
                Reporter:
                tangtianhang tianhang tang
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: