accumulo-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bus...@apache.org
Subject [accumulo] branch 1.9 updated: Upgrade process should not assume the administrative user is named 'root'. (#944)
Date Fri, 08 Feb 2019 18:40:55 GMT
This is an automated email from the ASF dual-hosted git repository.

busbey pushed a commit to branch 1.9
in repository https://gitbox.apache.org/repos/asf/accumulo.git


The following commit(s) were added to refs/heads/1.9 by this push:
     new cee8fa1  Upgrade process should not assume the administrative user is named 'root'.
(#944)
cee8fa1 is described below

commit cee8fa1c4c71672f2712a6f8d0b284112bf06186
Author: Sean Busbey <sean.busbey@gmail.com>
AuthorDate: Fri Feb 8 12:40:50 2019 -0600

    Upgrade process should not assume the administrative user is named 'root'. (#944)
    
    
    When Accumulo is configured to use Kerberos for client authentication the
    administrative user is configured at security initialization. Before this
    change the upgrade process would attempt to grant access to the system
    namespace to the 'root' user rather than to the configured administrative
    user.
    
    Co-Authored-By: Christopher Tubbs <ctubbsii@apache.org>
---
 .../src/main/java/org/apache/accumulo/master/Master.java | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/server/master/src/main/java/org/apache/accumulo/master/Master.java b/server/master/src/main/java/org/apache/accumulo/master/Master.java
index 7255410..8e2881a 100644
--- a/server/master/src/main/java/org/apache/accumulo/master/Master.java
+++ b/server/master/src/main/java/org/apache/accumulo/master/Master.java
@@ -450,6 +450,12 @@ public class Master extends AccumuloServerContext
         moveRootTabletToRootTable(zoo);
 
         // add system namespace permissions to existing users
+        // N.B. this section is ignoring the configured PermissionHandler
+        // under the assumption that these details are in zk and we can
+        // modify the structure so long as we pass back in whatever we read.
+        // This is true for any permission handler, including KerberosPermissionHandler,
+        // that uses the ZKPermHandler for permissions storage so long
+        // as the PermHandler only overrides the user name, and we don't care what the user
name is.
         ZKPermHandler perm = new ZKPermHandler();
         perm.initialize(getInstance().getInstanceID(), true);
         String users = ZooUtil.getRoot(getInstance()) + "/users";
@@ -459,8 +465,14 @@ public class Master extends AccumuloServerContext
           perm.grantNamespacePermission(user, Namespaces.ACCUMULO_NAMESPACE_ID,
               NamespacePermission.READ);
         }
-        perm.grantNamespacePermission("root", Namespaces.ACCUMULO_NAMESPACE_ID,
-            NamespacePermission.ALTER_TABLE);
+        // because we need to refer to the root username, we can't use the
+        // ZKPermHandler directly since that violates our earlier assumption that we don't
+        // care about contents of the username. When using a PermissionHandler that needs
to
+        // encode the username in some way, i.e. the KerberosPermissionHandler, things would
+        // fail. Instead we should be able to use the security object since
+        // the loop above should have made the needed structure in ZK.
+        security.grantNamespacePermission(rpcCreds(), security.getRootUsername(),
+            Namespaces.ACCUMULO_NAMESPACE_ID, NamespacePermission.ALTER_TABLE);
 
         // add the currlog location for root tablet current logs
         zoo.putPersistentData(ZooUtil.getRoot(getInstance()) + RootTable.ZROOT_TABLET_CURRENT_LOGS,


Mime
View raw message