Uploaded image for project: 'HBase'
  1. HBase
  2. HBASE-8213

global authorization may lose efficacy

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 0.94.6, 0.95.0, 0.95.2
    • Fix Version/s: 0.98.0, 0.94.7, 0.95.0
    • Component/s: security
    • Labels:
      None
    • Hadoop Flags:
      Reviewed

      Description

      It depends on the order of which region be opened first.
      Suppose we have one 1 regionserver and only 1 user region REGION-A on this server, acl region was on another regionserver. acl was opened a few seconds before REGION-A.
      The global authorization data read from Zookeeper was overwritten by the data read from configuration.

        private TableAuthManager(ZooKeeperWatcher watcher, Configuration conf)
            throws IOException {
          this.conf = conf;
          this.zkperms = new ZKPermissionWatcher(watcher, this, conf);
          try {
      	  // Read global authorization data from zookeeper. 
            this.zkperms.start();
          } catch (KeeperException ke) {
            LOG.error("ZooKeeper initialization failed", ke);
          }
          // It will overwrite globalCache.
          // initialize global permissions based on configuration
          globalCache = initGlobal(conf);
        }
      

      This issue can be easily reproduced by below steps:
      1. Start a cluster with 3 regionservers.
      2. Create a new table T1.
      3. grant a new user USER-A with global authorization.
      4. Kill 1 regionserver RS3 and switch balance off.
      5. Start regionserver RS3.
      6. Assign region T1 to RS3.
      7. Put data with user USER-A.

        Attachments

        1. HBASE-8213-trunk.patch
          7 kB
          Andrew Kyle Purtell
        2. HBASE-8213-94.patch
          7 kB
          Jieshan Bean

          Activity

            People

            • Assignee:
              jeason Jieshan Bean
              Reporter:
              jeason Jieshan Bean
            • Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: