hbase-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From apurt...@apache.org
Subject [3/3] git commit: HBASE-11972 The doAs user used in the update to hbase:acl table RPC is incorrect (Devaraj Das)
Date Mon, 15 Sep 2014 03:29:33 GMT
HBASE-11972 The doAs user used in the update to hbase:acl table RPC is incorrect (Devaraj Das)


Project: http://git-wip-us.apache.org/repos/asf/hbase/repo
Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/8c4baf6a
Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/8c4baf6a
Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/8c4baf6a

Branch: refs/heads/master
Commit: 8c4baf6a8a459cf6d4732842db3d742b8e63e74c
Parents: 4018e85
Author: Andrew Purtell <apurtell@apache.org>
Authored: Sun Sep 14 20:29:24 2014 -0700
Committer: Andrew Purtell <apurtell@apache.org>
Committed: Sun Sep 14 20:29:24 2014 -0700

----------------------------------------------------------------------
 .../org/apache/hadoop/hbase/security/User.java   | 19 +++++++++++++++++++
 .../hbase/security/access/AccessController.java  | 17 +++++++++++++----
 2 files changed, 32 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hbase/blob/8c4baf6a/hbase-common/src/main/java/org/apache/hadoop/hbase/security/User.java
----------------------------------------------------------------------
diff --git a/hbase-common/src/main/java/org/apache/hadoop/hbase/security/User.java b/hbase-common/src/main/java/org/apache/hadoop/hbase/security/User.java
index 5abff9d..fd12e47 100644
--- a/hbase-common/src/main/java/org/apache/hadoop/hbase/security/User.java
+++ b/hbase-common/src/main/java/org/apache/hadoop/hbase/security/User.java
@@ -165,6 +165,25 @@ public abstract class User {
   }
 
   /**
+   * Executes the given action as the login user
+   * @param action
+   * @return
+   * @throws IOException
+   * @throws InterruptedException
+   */
+  @SuppressWarnings({ "rawtypes", "unchecked" })
+  public static <T> T runAsLoginUser(PrivilegedExceptionAction<T> action) throws
IOException {
+    try {
+      Class c = Class.forName("org.apache.hadoop.security.SecurityUtil");
+      Class [] types = new Class[]{PrivilegedExceptionAction.class};
+      Object[] args = new Object[]{action};
+      return (T) Methods.call(c, null, "doAsLoginUser", types, args);
+    } catch (Throwable e) {
+      throw new IOException(e);
+    }
+  }
+
+  /**
    * Wraps an underlying {@code UserGroupInformation} instance.
    * @param ugi The base Hadoop user
    * @return User

http://git-wip-us.apache.org/repos/asf/hbase/blob/8c4baf6a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
index fa87289..0ff0041 100644
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
@@ -16,6 +16,7 @@ package org.apache.hadoop.hbase.security.access;
 
 import java.io.IOException;
 import java.net.InetAddress;
+import java.security.PrivilegedExceptionAction;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.HashMap;
@@ -881,7 +882,7 @@ public class AccessController extends BaseMasterAndRegionObserver
   }
 
   @Override
-  public void postCreateTableHandler(ObserverContext<MasterCoprocessorEnvironment>
c,
+  public void postCreateTableHandler(final ObserverContext<MasterCoprocessorEnvironment>
c,
       HTableDescriptor desc, HRegionInfo[] regions) throws IOException {
     // When AC is used, it should be configured as the 1st CP.
     // In Master, the table operations like create, are handled by a Thread pool but the
max size
@@ -910,9 +911,17 @@ public class AccessController extends BaseMasterAndRegionObserver
         // default the table owner to current user, if not specified.
         if (owner == null)
           owner = getActiveUser().getShortName();
-        UserPermission userperm = new UserPermission(Bytes.toBytes(owner), desc.getTableName(),
-            null, Action.values());
-        AccessControlLists.addUserPermission(c.getEnvironment().getConfiguration(), userperm);
+        final UserPermission userperm = new UserPermission(Bytes.toBytes(owner),
+            desc.getTableName(), null, Action.values());
+        // switch to the real hbase master user for doing the RPC on the ACL table
+        User.runAsLoginUser(new PrivilegedExceptionAction<Void>() {
+          @Override
+          public Void run() throws Exception {
+            AccessControlLists.addUserPermission(c.getEnvironment().getConfiguration(),
+                userperm);
+            return null;
+          }
+        });
       }
     }
   }


Mime
View raw message