Mailing-List: contact commits-help@accumulo.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@accumulo.apache.org
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: ctubbsii@apache.org
To: commits@accumulo.apache.org
Date: Thu, 18 Aug 2016 23:31:02 -0000
Message-Id: <454d2fda8ad64be585a34b0d1617d038@git.apache.org>
Subject: [1/5] accumulo git commit: ACCUMULO-2971: multiple improvements for
 ChangeSecret tool
archived-at: Thu, 18 Aug 2016 23:31:04 -0000

Repository: accumulo
Updated Branches:
  refs/heads/1.8 4bc75b117 -> 8b2470174
  refs/heads/master ef380e1ef -> 5ead817bc


ACCUMULO-2971: multiple improvements for ChangeSecret tool


Project: http://git-wip-us.apache.org/repos/asf/accumulo/repo
Commit: http://git-wip-us.apache.org/repos/asf/accumulo/commit/a0c74ee9
Tree: http://git-wip-us.apache.org/repos/asf/accumulo/tree/a0c74ee9
Diff: http://git-wip-us.apache.org/repos/asf/accumulo/diff/a0c74ee9

Branch: refs/heads/1.8
Commit: a0c74ee915798c709c0a559732bed3cfcb6d0f39
Parents: 4bc75b1
Author: Mike Miller <michaelpmiller@gmail.com>
Authored: Thu Jul 21 17:13:01 2016 -0400
Committer: Christopher Tubbs <ctubbsii@apache.org>
Committed: Thu Aug 18 14:08:02 2016 -0400

----------------------------------------------------------------------
 .../accumulo/server/util/ChangeSecret.java      | 71 +++++++++++++++-----
 1 file changed, 53 insertions(+), 18 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/accumulo/blob/a0c74ee9/server/base/src/main/java/org/apache/accumulo/server/util/ChangeSecret.java
----------------------------------------------------------------------
diff --git a/server/base/src/main/java/org/apache/accumulo/server/util/ChangeSecret.java b/server/base/src/main/java/org/apache/accumulo/server/util/ChangeSecret.java
index 43863b5..02f0eb1 100644
--- a/server/base/src/main/java/org/apache/accumulo/server/util/ChangeSecret.java
+++ b/server/base/src/main/java/org/apache/accumulo/server/util/ChangeSecret.java
@@ -36,7 +36,11 @@ import org.apache.accumulo.server.cli.ClientOpts;
 import org.apache.accumulo.server.fs.VolumeManager;
 import org.apache.accumulo.server.fs.VolumeManagerImpl;
 import org.apache.accumulo.server.zookeeper.ZooReaderWriter;
+import org.apache.hadoop.fs.FileStatus;
 import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.fs.permission.FsAction;
+import org.apache.hadoop.fs.permission.FsPermission;
+import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.zookeeper.ZooDefs.Ids;
 import org.apache.zookeeper.data.ACL;
 import org.apache.zookeeper.data.Stat;
@@ -53,22 +57,26 @@ public class ChangeSecret {
   }
 
   public static void main(String[] args) throws Exception {
+    VolumeManager fs = VolumeManagerImpl.get();
+    verifyHdfsWritePermission(fs);
+
     Opts opts = new Opts();
     List<String> argsList = new ArrayList<>(args.length + 2);
     argsList.add("--old");
     argsList.add("--new");
     argsList.addAll(Arrays.asList(args));
     opts.parseArgs(ChangeSecret.class.getName(), argsList.toArray(new String[0]));
-    VolumeManager fs = VolumeManagerImpl.get();
+
     Instance inst = opts.getInstance();
-    if (!verifyAccumuloIsDown(inst, opts.oldPass))
-      System.exit(-1);
-    String instanceId = rewriteZooKeeperInstance(inst, opts.oldPass, opts.newPass);
-    updateHdfs(fs, inst, instanceId);
+    verifyAccumuloIsDown(inst, opts.oldPass);
+
+    final String newInstanceId = UUID.randomUUID().toString();
+    updateHdfs(fs, inst, newInstanceId);
+    rewriteZooKeeperInstance(inst, newInstanceId, opts.oldPass, opts.newPass);
     if (opts.oldPass != null) {
       deleteInstance(inst, opts.oldPass);
     }
-    System.out.println("New instance id is " + instanceId);
+    System.out.println("New instance id is " + newInstanceId);
     System.out.println("Be sure to put your new secret in accumulo-site.xml");
   }
 
@@ -87,7 +95,7 @@ public class ChangeSecret {
     }
   }
 
-  private static boolean verifyAccumuloIsDown(Instance inst, String oldPassword) {
+  private static void verifyAccumuloIsDown(Instance inst, String oldPassword) throws Exception {
     ZooReader zooReader = new ZooReaderWriter(inst.getZooKeepers(), inst.getZooKeepersSessionTimeOut(), oldPassword);
     String root = ZooUtil.getRoot(inst);
     final List<String> ephemerals = new ArrayList<>();
@@ -99,21 +107,19 @@ public class ChangeSecret {
           ephemerals.add(path);
       }
     });
-    if (ephemerals.size() == 0) {
-      return true;
-    }
-
-    System.err.println("The following ephemeral nodes exist, something is still running:");
-    for (String path : ephemerals) {
-      System.err.println(path);
+    if (ephemerals.size() > 0) {
+      System.err.println("The following ephemeral nodes exist, something is still running:");
+      for (String path : ephemerals) {
+        System.err.println(path);
+      }
+      throw new Exception("Accumulo must be shut down in order to run this tool.");
     }
-    return false;
   }
 
-  private static String rewriteZooKeeperInstance(final Instance inst, String oldPass, String newPass) throws Exception {
+  private static void rewriteZooKeeperInstance(final Instance inst, String newInstanceId, String oldPass, String newPass) throws Exception {
     final ZooReaderWriter orig = new ZooReaderWriter(inst.getZooKeepers(), inst.getZooKeepersSessionTimeOut(), oldPass);
     final IZooReaderWriter new_ = new ZooReaderWriter(inst.getZooKeepers(), inst.getZooKeepersSessionTimeOut(), newPass);
-    final String newInstanceId = UUID.randomUUID().toString();
+
     String root = ZooUtil.getRoot(inst);
     recurse(orig, root, new Visitor() {
       @Override
@@ -143,7 +149,6 @@ public class ChangeSecret {
     String path = "/accumulo/instances/" + inst.getInstanceName();
     orig.recursiveDelete(path, NodeMissingPolicy.SKIP);
     new_.putPersistentData(path, newInstanceId.getBytes(UTF_8), NodeExistsPolicy.OVERWRITE);
-    return newInstanceId;
   }
 
   private static void updateHdfs(VolumeManager fs, Instance inst, String newInstanceId) throws IOException {
@@ -162,6 +167,36 @@ public class ChangeSecret {
     }
   }
 
+  private static void verifyHdfsWritePermission(VolumeManager fs) throws Exception {
+    for (Volume v : fs.getVolumes()) {
+      final Path instanceId = ServerConstants.getInstanceIdLocation(v);
+      FileStatus fileStatus = v.getFileSystem().getFileStatus(instanceId);
+      checkHdfsAccessPermissions(fileStatus, FsAction.WRITE);
+    }
+  }
+
+  private static void checkHdfsAccessPermissions(FileStatus stat, FsAction mode) throws Exception {
+    FsPermission perm = stat.getPermission();
+    UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
+    String user = ugi.getShortUserName();
+    List<String> groups = Arrays.asList(ugi.getGroupNames());
+    if (user.equals(stat.getOwner())) {
+      if (perm.getUserAction().implies(mode)) {
+        return;
+      }
+    } else if (groups.contains(stat.getGroup())) {
+      if (perm.getGroupAction().implies(mode)) {
+        return;
+      }
+    } else {
+      if (perm.getOtherAction().implies(mode)) {
+        return;
+      }
+    }
+    throw new Exception(String.format("Permission denied: user=%s, path=\"%s\":%s:%s:%s%s", user, stat.getPath(), stat.getOwner(), stat.getGroup(),
+        stat.isDirectory() ? "d" : "-", perm));
+  }
+
   private static void deleteInstance(Instance origInstance, String oldPass) throws Exception {
     IZooReaderWriter orig = new ZooReaderWriter(origInstance.getZooKeepers(), origInstance.getZooKeepersSessionTimeOut(), oldPass);
     orig.recursiveDelete("/accumulo/" + origInstance.getInstanceID(), NodeMissingPolicy.SKIP);