accumulo-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From els...@apache.org
Subject [1/3] accumulo git commit: ACCUMULO-3831 Eat user exists exception on automatic user-creation
Date Wed, 08 Jul 2015 15:31:37 GMT
Repository: accumulo
Updated Branches:
  refs/heads/1.7 b9a190a43 -> 38baaa8a6
  refs/heads/master 7b7975ca1 -> 5cb22b395


ACCUMULO-3831 Eat user exists exception on automatic user-creation

Kerberos authentication will automatically make sure an Accumulo user
exists (in ZK) to ensure that the Authorizor and PermissionHandler will
all work normally. Concurrent requests from the same user may fail if
one creates the user before the other.


Project: http://git-wip-us.apache.org/repos/asf/accumulo/repo
Commit: http://git-wip-us.apache.org/repos/asf/accumulo/commit/38baaa8a
Tree: http://git-wip-us.apache.org/repos/asf/accumulo/tree/38baaa8a
Diff: http://git-wip-us.apache.org/repos/asf/accumulo/diff/38baaa8a

Branch: refs/heads/1.7
Commit: 38baaa8a653b7a1aa792e74182829ed7adbde74f
Parents: b9a190a
Author: Josh Elser <elserj@apache.org>
Authored: Thu Jul 2 18:20:26 2015 -0400
Committer: Josh Elser <elserj@apache.org>
Committed: Wed Jul 8 11:30:46 2015 -0400

----------------------------------------------------------------------
 .../accumulo/server/security/SecurityOperation.java     | 12 +++++++++++-
 .../server/security/handler/KerberosAuthenticator.java  |  1 -
 2 files changed, 11 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/accumulo/blob/38baaa8a/server/base/src/main/java/org/apache/accumulo/server/security/SecurityOperation.java
----------------------------------------------------------------------
diff --git a/server/base/src/main/java/org/apache/accumulo/server/security/SecurityOperation.java
b/server/base/src/main/java/org/apache/accumulo/server/security/SecurityOperation.java
index 3bb8a6c..7ad0b48 100644
--- a/server/base/src/main/java/org/apache/accumulo/server/security/SecurityOperation.java
+++ b/server/base/src/main/java/org/apache/accumulo/server/security/SecurityOperation.java
@@ -183,7 +183,17 @@ public class SecurityOperation {
           if (!authenticator.userExists(creds.getPrincipal())) {
             // If we call the normal createUser method, it will loop back into this method
             // when it tries to check if the user has permission to create users
-            _createUser(credentials, creds, Authorizations.EMPTY);
+            try {
+              _createUser(credentials, creds, Authorizations.EMPTY);
+            } catch (ThriftSecurityException e) {
+              if (SecurityErrorCode.USER_EXISTS != e.getCode()) {
+                // For Kerberos, a user acct is automatically created because there is no
notion of a password
+                // in the traditional sense of Accumulo users. As such, if a user acct already
exists when we
+                // try to automatically create a user account, we should avoid returning
this exception back to the user.
+                // We want to let USER_EXISTS code pass through and continue
+                throw e;
+              }
+            }
           }
         } catch (AccumuloSecurityException e) {
           log.debug("Failed to determine if user exists", e);

http://git-wip-us.apache.org/repos/asf/accumulo/blob/38baaa8a/server/base/src/main/java/org/apache/accumulo/server/security/handler/KerberosAuthenticator.java
----------------------------------------------------------------------
diff --git a/server/base/src/main/java/org/apache/accumulo/server/security/handler/KerberosAuthenticator.java
b/server/base/src/main/java/org/apache/accumulo/server/security/handler/KerberosAuthenticator.java
index 3ead57f..0aecfbf 100644
--- a/server/base/src/main/java/org/apache/accumulo/server/security/handler/KerberosAuthenticator.java
+++ b/server/base/src/main/java/org/apache/accumulo/server/security/handler/KerberosAuthenticator.java
@@ -158,7 +158,6 @@ public class KerberosAuthenticator implements Authenticator {
       createUserNodeInZk(Base64.encodeBase64String(principal.getBytes(UTF_8)));
     } catch (KeeperException e) {
       if (e.code().equals(KeeperException.Code.NODEEXISTS)) {
-        log.error("User already exists in ZooKeeper", e);
         throw new AccumuloSecurityException(principal, SecurityErrorCode.USER_EXISTS, e);
       }
       log.error("Failed to create user in ZooKeeper", e);


Mime
View raw message