Uploaded image for project: 'CDAP'
  1. CDAP
  2. CDAP-7394

HBaseAdmin shouldn't be reused across different UGI

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 3.5.1, 3.5.0
    • Fix Version/s: 4.0.0, 3.6.1, 3.5.2
    • Component/s: Security
    • Labels:
    • Release Notes:
      Fixed an issue that allows impersonation in flows to work correctly, by not re-using HBaseAdmin across different UGI.
    • Rank:
      1|hzzmrr:

      Description

      The HBaseAdmin has a connection inside that contains the current UGI at the creation time. Reusing will break impersonation, because now Flow's HBase operations may be using the wrong UGI, which may not have privileges on the appropriate namespace (not should the incorrect user be used to create the HBase tables).

        Attachments

          Activity

            People

            • Assignee:
              terence Terence Yim
              Reporter:
              terence Terence Yim
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: