Description
For the owner of snapshots(not global admin user), currently list_snapshots returns empty if i just use simple acls for authorization but not use authentication.
The code in AccessController.preListSnapshot:
if (SnapshotDescriptionUtils.isSnapshotOwner(snapshot, user)) { // list it, if user is the owner of snapshot AuthResult result = AuthResult.allow("listSnapshot " + snapshot.getName(), "Snapshot owner check allowed", user, null, null, null); accessChecker.logResult(result); }
And SnapshotManager.takeSnapshotInternal:
if (User.isHBaseSecurityEnabled(master.getConfiguration()) && user != null) { builder.setOwner(user.getShortName()); }
User.isHBaseSecurityEnabled:
public static boolean isHBaseSecurityEnabled(Configuration conf) { return "kerberos".equalsIgnoreCase(conf.get(HBASE_SECURITY_CONF_KEY)); }
So i think the logic of setOwner is used for authorization, not authentication, SnapshotManager should not only setOwner when hbase.security.authentication = kerberos, which cause listSnapshots returns empty when i just use simple acls.
Attachments
Issue Links
- is duplicated by
-
HBASE-23896 Snapshot owner cannot delete snapshot when ACL is enabled and Kerberos is not enabled
- Resolved
- links to