Return-Path: X-Original-To: apmail-hbase-commits-archive@www.apache.org Delivered-To: apmail-hbase-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 67BC811E5E for ; Mon, 15 Sep 2014 03:29:32 +0000 (UTC) Received: (qmail 18574 invoked by uid 500); 15 Sep 2014 03:29:32 -0000 Delivered-To: apmail-hbase-commits-archive@hbase.apache.org Received: (qmail 18457 invoked by uid 500); 15 Sep 2014 03:29:32 -0000 Mailing-List: contact commits-help@hbase.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@hbase.apache.org Delivered-To: mailing list commits@hbase.apache.org Received: (qmail 18432 invoked by uid 99); 15 Sep 2014 03:29:32 -0000 Received: from tyr.zones.apache.org (HELO tyr.zones.apache.org) (140.211.11.114) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 15 Sep 2014 03:29:32 +0000 Received: by tyr.zones.apache.org (Postfix, from userid 65534) id BE62D9C598E; Mon, 15 Sep 2014 03:29:31 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: apurtell@apache.org To: commits@hbase.apache.org Date: Mon, 15 Sep 2014 03:29:32 -0000 Message-Id: <367562deaafb49c89817d511b84c58f9@git.apache.org> In-Reply-To: <1f5499e6887d48f9befd6c7fdcdbdac6@git.apache.org> References: <1f5499e6887d48f9befd6c7fdcdbdac6@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: [2/3] git commit: HBASE-11972 The doAs user used in the update to hbase:acl table RPC is incorrect (Devaraj Das) HBASE-11972 The doAs user used in the update to hbase:acl table RPC is incorrect (Devaraj Das) Project: http://git-wip-us.apache.org/repos/asf/hbase/repo Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/435530b4 Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/435530b4 Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/435530b4 Branch: refs/heads/branch-1 Commit: 435530b4d60751655ba459693da75c73f872d15f Parents: 49e2741 Author: Andrew Purtell Authored: Sun Sep 14 20:29:22 2014 -0700 Committer: Andrew Purtell Committed: Sun Sep 14 20:29:22 2014 -0700 ---------------------------------------------------------------------- .../org/apache/hadoop/hbase/security/User.java | 19 +++++++++++++++++++ .../hbase/security/access/AccessController.java | 17 +++++++++++++---- 2 files changed, 32 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hbase/blob/435530b4/hbase-common/src/main/java/org/apache/hadoop/hbase/security/User.java ---------------------------------------------------------------------- diff --git a/hbase-common/src/main/java/org/apache/hadoop/hbase/security/User.java b/hbase-common/src/main/java/org/apache/hadoop/hbase/security/User.java index 5abff9d..fd12e47 100644 --- a/hbase-common/src/main/java/org/apache/hadoop/hbase/security/User.java +++ b/hbase-common/src/main/java/org/apache/hadoop/hbase/security/User.java @@ -165,6 +165,25 @@ public abstract class User { } /** + * Executes the given action as the login user + * @param action + * @return + * @throws IOException + * @throws InterruptedException + */ + @SuppressWarnings({ "rawtypes", "unchecked" }) + public static T runAsLoginUser(PrivilegedExceptionAction action) throws IOException { + try { + Class c = Class.forName("org.apache.hadoop.security.SecurityUtil"); + Class [] types = new Class[]{PrivilegedExceptionAction.class}; + Object[] args = new Object[]{action}; + return (T) Methods.call(c, null, "doAsLoginUser", types, args); + } catch (Throwable e) { + throw new IOException(e); + } + } + + /** * Wraps an underlying {@code UserGroupInformation} instance. * @param ugi The base Hadoop user * @return User http://git-wip-us.apache.org/repos/asf/hbase/blob/435530b4/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java ---------------------------------------------------------------------- diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java index d0fe19d..2e23860 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java @@ -16,6 +16,7 @@ package org.apache.hadoop.hbase.security.access; import java.io.IOException; import java.net.InetAddress; +import java.security.PrivilegedExceptionAction; import java.util.Collection; import java.util.Collections; import java.util.HashMap; @@ -880,7 +881,7 @@ public class AccessController extends BaseMasterAndRegionObserver } @Override - public void postCreateTableHandler(ObserverContext c, + public void postCreateTableHandler(final ObserverContext c, HTableDescriptor desc, HRegionInfo[] regions) throws IOException { // When AC is used, it should be configured as the 1st CP. // In Master, the table operations like create, are handled by a Thread pool but the max size @@ -909,9 +910,17 @@ public class AccessController extends BaseMasterAndRegionObserver // default the table owner to current user, if not specified. if (owner == null) owner = getActiveUser().getShortName(); - UserPermission userperm = new UserPermission(Bytes.toBytes(owner), desc.getTableName(), - null, Action.values()); - AccessControlLists.addUserPermission(c.getEnvironment().getConfiguration(), userperm); + final UserPermission userperm = new UserPermission(Bytes.toBytes(owner), + desc.getTableName(), null, Action.values()); + // switch to the real hbase master user for doing the RPC on the ACL table + User.runAsLoginUser(new PrivilegedExceptionAction() { + @Override + public Void run() throws Exception { + AccessControlLists.addUserPermission(c.getEnvironment().getConfiguration(), + userperm); + return null; + } + }); } } }