accumulo-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From els...@apache.org
Subject [1/3] accumulo git commit: ACCUMULO-4140 Store root username in plaintext in ZooKeeper when using Kerberos.
Date Wed, 17 Feb 2016 19:56:17 GMT
Repository: accumulo
Updated Branches:
  refs/heads/1.7 c283f4acb -> a7e45df2d
  refs/heads/master 3c023a3c8 -> 4b88ec844


ACCUMULO-4140 Store root username in plaintext in ZooKeeper when using Kerberos.

Signed-off-by: Josh Elser <elserj@apache.org>


Project: http://git-wip-us.apache.org/repos/asf/accumulo/repo
Commit: http://git-wip-us.apache.org/repos/asf/accumulo/commit/a7e45df2
Tree: http://git-wip-us.apache.org/repos/asf/accumulo/tree/a7e45df2
Diff: http://git-wip-us.apache.org/repos/asf/accumulo/diff/a7e45df2

Branch: refs/heads/1.7
Commit: a7e45df2d97faa81ca76ba4bc15555aadee4dc0b
Parents: c283f4a
Author: William Slacum <ujustgotbilld@apache.org>
Authored: Mon Feb 15 14:02:08 2016 -0800
Committer: Josh Elser <elserj@apache.org>
Committed: Wed Feb 17 13:04:32 2016 -0500

----------------------------------------------------------------------
 .../server/security/handler/KerberosAuthenticator.java  |  9 +++++----
 .../org/apache/accumulo/test/functional/KerberosIT.java | 12 ++++++++++++
 2 files changed, 17 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/accumulo/blob/a7e45df2/server/base/src/main/java/org/apache/accumulo/server/security/handler/KerberosAuthenticator.java
----------------------------------------------------------------------
diff --git a/server/base/src/main/java/org/apache/accumulo/server/security/handler/KerberosAuthenticator.java
b/server/base/src/main/java/org/apache/accumulo/server/security/handler/KerberosAuthenticator.java
index 0aecfbf..018c901 100644
--- a/server/base/src/main/java/org/apache/accumulo/server/security/handler/KerberosAuthenticator.java
+++ b/server/base/src/main/java/org/apache/accumulo/server/security/handler/KerberosAuthenticator.java
@@ -100,12 +100,13 @@ public class KerberosAuthenticator implements Authenticator {
           log.info("Removed " + zkUserPath + "/" + " from zookeeper");
         }
 
-        principal = Base64.encodeBase64String(principal.getBytes(UTF_8));
-
         // prep parent node of users with root username
-        zoo.putPersistentData(zkUserPath, principal.getBytes(UTF_8), NodeExistsPolicy.FAIL);
+        // ACCUMULO-4140 The root user needs to be stored un-base64 encoded in the znode's
value
+        byte[] principalData = principal.getBytes(UTF_8);
+        zoo.putPersistentData(zkUserPath, principalData, NodeExistsPolicy.FAIL);
 
-        createUserNodeInZk(principal);
+        // Create the root user in ZK using base64 encoded name (since the name is included
in the znode)
+        createUserNodeInZk(Base64.encodeBase64String(principalData));
       }
     } catch (KeeperException | InterruptedException e) {
       log.error("Failed to initialize security", e);

http://git-wip-us.apache.org/repos/asf/accumulo/blob/a7e45df2/test/src/test/java/org/apache/accumulo/test/functional/KerberosIT.java
----------------------------------------------------------------------
diff --git a/test/src/test/java/org/apache/accumulo/test/functional/KerberosIT.java b/test/src/test/java/org/apache/accumulo/test/functional/KerberosIT.java
index 596676a..612718d 100644
--- a/test/src/test/java/org/apache/accumulo/test/functional/KerberosIT.java
+++ b/test/src/test/java/org/apache/accumulo/test/functional/KerberosIT.java
@@ -556,6 +556,18 @@ public class KerberosIT extends AccumuloIT {
         identifier.getExpirationDate() - identifier.getIssueDate() <= (5 * 60 * 1000));
   }
 
+  @Test(expected = AccumuloSecurityException.class)
+  public void testRootUserHasIrrevocablePermissions() throws Exception {
+    // Login as the client (provided to `accumulo init` as the "root" user)
+    UserGroupInformation.loginUserFromKeytab(rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath());
+
+    final Connector conn = mac.getConnector(rootUser.getPrincipal(), new KerberosToken());
+
+    // The server-side implementation should prevent the revocation of the 'root' user's
systems permissions
+    // because once they're gone, it's possible that they could never be restored.
+    conn.securityOperations().revokeSystemPermission(rootUser.getPrincipal(), SystemPermission.GRANT);
+  }
+
   /**
    * Creates a table, adds a record to it, and then compacts the table. A simple way to make
sure that the system user exists (since the master does an RPC to
    * the tserver which will create the system user if it doesn't already exist).


Mime
View raw message