hbase-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mberto...@apache.org
Subject [2/3] hbase git commit: HBASE-12925 Use acl cache for doing access control checks in prepare and clean phases of Bulkloading (Srikanth Srungarapu)
Date Tue, 27 Jan 2015 13:33:06 GMT
HBASE-12925 Use acl cache for doing access control checks in prepare and clean phases of Bulkloading
(Srikanth Srungarapu)


Project: http://git-wip-us.apache.org/repos/asf/hbase/repo
Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/65e374dd
Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/65e374dd
Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/65e374dd

Branch: refs/heads/branch-1.0
Commit: 65e374ddd177f98c2f9c963aa1869c08ebf5bc12
Parents: bb85917
Author: Matteo Bertozzi <matteo.bertozzi@cloudera.com>
Authored: Tue Jan 27 12:47:46 2015 +0000
Committer: Matteo Bertozzi <matteo.bertozzi@cloudera.com>
Committed: Tue Jan 27 13:05:37 2015 +0000

----------------------------------------------------------------------
 .../hbase/security/access/AccessController.java | 51 ++------------------
 .../security/access/TestAccessController.java   | 27 ++++++++++-
 2 files changed, 31 insertions(+), 47 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hbase/blob/65e374dd/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
index 9955a8a..e0c60b3 100644
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
@@ -18,7 +18,6 @@ import java.io.IOException;
 import java.net.InetAddress;
 import java.security.PrivilegedExceptionAction;
 import java.util.Collection;
-import java.util.Collections;
 import java.util.HashMap;
 import java.util.Iterator;
 import java.util.List;
@@ -30,7 +29,6 @@ import java.util.TreeSet;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.apache.hadoop.hbase.classification.InterfaceAudience;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.hbase.Cell;
 import org.apache.hadoop.hbase.CellScanner;
@@ -51,6 +49,7 @@ import org.apache.hadoop.hbase.ServerName;
 import org.apache.hadoop.hbase.TableName;
 import org.apache.hadoop.hbase.Tag;
 import org.apache.hadoop.hbase.TagRewriteCell;
+import org.apache.hadoop.hbase.classification.InterfaceAudience;
 import org.apache.hadoop.hbase.client.Append;
 import org.apache.hadoop.hbase.client.Delete;
 import org.apache.hadoop.hbase.client.Durability;
@@ -1953,34 +1952,6 @@ public class AccessController extends BaseMasterAndRegionObserver
     }
   }
 
-  private AuthResult hasSomeAccess(RegionCoprocessorEnvironment e, String method, Action
action)
-      throws IOException {
-    User requestUser = getActiveUser();
-    final TableName tableName = e.getRegion().getTableDesc().getTableName();
-    AuthResult authResult = permissionGranted(method, requestUser, action, e,
-      Collections.EMPTY_MAP);
-    if (!authResult.isAllowed()) {
-      final Configuration conf = e.getConfiguration();
-      // hasSomeAccess is called from bulkload pre hooks
-      List<UserPermission> perms =
-        User.runAsLoginUser(new PrivilegedExceptionAction<List<UserPermission>>()
{
-          @Override
-          public List<UserPermission> run() throws Exception {
-            return AccessControlLists.getUserTablePermissions(conf, tableName);
-          }
-        });
-      for (UserPermission userPerm: perms) {
-        for (Action userAction: userPerm.getActions()) {
-          if (userAction.equals(action)) {
-            return AuthResult.allow(method, "Access allowed", requestUser,
-              action, tableName, null, null);
-          }
-        }
-      }
-    }
-    return authResult;
-  }
-
   /**
    * Authorization check for
    * SecureBulkLoadProtocol.prepareBulkLoad()
@@ -1991,14 +1962,8 @@ public class AccessController extends BaseMasterAndRegionObserver
   @Override
   public void prePrepareBulkLoad(ObserverContext<RegionCoprocessorEnvironment> ctx,
                                  PrepareBulkLoadRequest request) throws IOException {
-    RegionCoprocessorEnvironment e = ctx.getEnvironment();
-
-    AuthResult authResult = hasSomeAccess(e, "prePrepareBulkLoad", Action.CREATE);
-    logResult(authResult);
-    if (!authResult.isAllowed()) {
-      throw new AccessDeniedException("Insufficient permissions (table=" +
-        e.getRegion().getTableDesc().getTableName() + ", action=CREATE)");
-    }
+    requireAccess("prePareBulkLoad",
+        ctx.getEnvironment().getRegion().getTableDesc().getTableName(), Action.CREATE);
   }
 
   /**
@@ -2011,14 +1976,8 @@ public class AccessController extends BaseMasterAndRegionObserver
   @Override
   public void preCleanupBulkLoad(ObserverContext<RegionCoprocessorEnvironment> ctx,
                                  CleanupBulkLoadRequest request) throws IOException {
-    RegionCoprocessorEnvironment e = ctx.getEnvironment();
-
-    AuthResult authResult = hasSomeAccess(e, "preCleanupBulkLoad", Action.CREATE);
-    logResult(authResult);
-    if (!authResult.isAllowed()) {
-      throw new AccessDeniedException("Insufficient permissions (table=" +
-        e.getRegion().getTableDesc().getTableName() + ", action=CREATE)");
-    }
+    requireAccess("preCleanupBulkLoad",
+        ctx.getEnvironment().getRegion().getTableDesc().getTableName(), Action.CREATE);
   }
 
   /* ---- EndpointObserver implementation ---- */

http://git-wip-us.apache.org/repos/asf/hbase/blob/65e374dd/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
index d66f660..f50c831 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
@@ -263,7 +263,7 @@ public class TestAccessController extends SecureTestUtil {
 
     grantOnTable(TEST_UTIL, USER_ADMIN_CF.getShortName(),
       TEST_TABLE.getTableName(), TEST_FAMILY,
-      null, Permission.Action.ADMIN);
+      null, Permission.Action.ADMIN, Permission.Action.CREATE);
 
     assertEquals(5, AccessControlLists.getTablePermissions(conf, TEST_TABLE.getTableName()).size());
     try {
@@ -2479,4 +2479,29 @@ public class TestAccessController extends SecureTestUtil {
     TEST_UTIL.deleteTable(table2);
     TEST_UTIL.getMiniHBaseCluster().getMaster().deleteNamespace(ns);
   }
+
+  private void verifyAnyCreate(AccessTestAction action) throws Exception {
+    verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_OWNER, USER_CREATE, USER_ADMIN_CF);
+    verifyDenied(action, USER_NONE, USER_RO, USER_RW);
+  }
+
+  @Test
+  public void testPrepareAndCleanBulkLoad() throws Exception {
+    AccessTestAction prepareBulkLoadAction = new AccessTestAction() {
+      @Override
+      public Object run() throws Exception {
+        ACCESS_CONTROLLER.prePrepareBulkLoad(ObserverContext.createAndPrepare(RCP_ENV, null),
null);
+        return null;
+      }
+    };
+    AccessTestAction cleanupBulkLoadAction = new AccessTestAction() {
+      @Override
+      public Object run() throws Exception {
+        ACCESS_CONTROLLER.preCleanupBulkLoad(ObserverContext.createAndPrepare(RCP_ENV, null),
null);
+        return null;
+      }
+    };
+    verifyAnyCreate(prepareBulkLoadAction);
+    verifyAnyCreate(cleanupBulkLoadAction);
+  }
 }


Mime
View raw message