hbase-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From apurt...@apache.org
Subject [4/6] hbase git commit: HBASE-15200 ZooKeeper znode ACL checks should only compare the shortname
Date Thu, 04 Feb 2016 00:29:48 GMT
HBASE-15200 ZooKeeper znode ACL checks should only compare the shortname


Project: http://git-wip-us.apache.org/repos/asf/hbase/repo
Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/8172c6c4
Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/8172c6c4
Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/8172c6c4

Branch: refs/heads/0.98
Commit: 8172c6c4b5edcfb4bbfd7a01a77303871a7578af
Parents: 60c6b6d
Author: Andrew Purtell <apurtell@apache.org>
Authored: Mon Feb 1 09:48:16 2016 -0800
Committer: Andrew Purtell <apurtell@apache.org>
Committed: Wed Feb 3 10:52:14 2016 -0800

----------------------------------------------------------------------
 .../hbase/zookeeper/ZooKeeperWatcher.java       | 56 ++++++++++++++++++--
 1 file changed, 52 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hbase/blob/8172c6c4/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZooKeeperWatcher.java
----------------------------------------------------------------------
diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZooKeeperWatcher.java
b/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZooKeeperWatcher.java
index ede8806..db07c98 100644
--- a/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZooKeeperWatcher.java
+++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZooKeeperWatcher.java
@@ -24,6 +24,8 @@ import java.util.ArrayList;
 import java.util.List;
 import java.util.concurrent.CopyOnWriteArrayList;
 import java.util.concurrent.CountDownLatch;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -130,6 +132,9 @@ public class ZooKeeperWatcher implements Watcher, Abortable, Closeable
{
 
   private final Exception constructorCaller;
 
+  /* A pattern that matches a Kerberos name, borrowed from Hadoop's KerberosName */
+  private static final Pattern NAME_PATTERN = Pattern.compile("([^/@]*)(/([^/@]*))?@([^/@]*)");
+
   /**
    * Instantiate a ZooKeeper connection and watcher.
    * @param identifier string that is passed to RecoverableZookeeper to be used as
@@ -222,6 +227,7 @@ public class ZooKeeperWatcher implements Watcher, Abortable, Closeable
{
    */
   public void checkAndSetZNodeAcls() {
     if (!ZKUtil.isSecureZooKeeper(getConfiguration())) {
+      LOG.info("not a secure deployment, proceeding");
       return;
     }
 
@@ -268,6 +274,9 @@ public class ZooKeeperWatcher implements Watcher, Abortable, Closeable
{
    * @throws IOException
    */
   private boolean isBaseZnodeAclSetup(List<ACL> acls) throws IOException {
+    if (LOG.isDebugEnabled()) {
+      LOG.debug("Checking znode ACLs");
+    }
     String[] superUsers = conf.getStrings(Superusers.SUPERUSER_CONF_KEY);
     // Check whether ACL set for all superusers
     if (superUsers != null && !checkACLForSuperUsers(superUsers, acls)) {
@@ -279,6 +288,9 @@ public class ZooKeeperWatcher implements Watcher, Abortable, Closeable
{
     String hbaseUser = UserGroupInformation.getCurrentUser().getShortUserName();
 
     if (acls.isEmpty()) {
+      if (LOG.isDebugEnabled()) {
+        LOG.debug("ACL is empty");
+      }
       return false;
     }
 
@@ -289,17 +301,45 @@ public class ZooKeeperWatcher implements Watcher, Abortable, Closeable
{
       // and one for the hbase user
       if (Ids.ANYONE_ID_UNSAFE.equals(id)) {
         if (perms != Perms.READ) {
+          if (LOG.isDebugEnabled()) {
+            LOG.debug(String.format("permissions for '%s' are not correct: have %0x, want
%0x",
+              id, perms, Perms.READ));
+          }
           return false;
         }
       } else if (superUsers != null && isSuperUserId(superUsers, id)) {
         if (perms != Perms.ALL) {
+          if (LOG.isDebugEnabled()) {
+            LOG.debug(String.format("permissions for '%s' are not correct: have %0x, want
%0x",
+              id, perms, Perms.ALL));
+          }
           return false;
         }
-      } else if (new Id("sasl", hbaseUser).equals(id)) {
-        if (perms != Perms.ALL) {
+      } else if ("sasl".equals(id.getScheme())) {
+        String name = id.getId();
+        // If ZooKeeper recorded the Kerberos full name in the ACL, use only the shortname
+        Matcher match = NAME_PATTERN.matcher(name);
+        if (match.matches()) {
+          name = match.group(1);
+        }
+        if (name.equals(hbaseUser)) {
+          if (perms != Perms.ALL) {
+            if (LOG.isDebugEnabled()) {
+              LOG.debug(String.format("permissions for '%s' are not correct: have %0x, want
%0x",
+                id, perms, Perms.ALL));
+            }
+            return false;
+          }
+        } else {
+          if (LOG.isDebugEnabled()) {
+            LOG.debug("Unexpected shortname in SASL ACL: " + id);
+          }
           return false;
         }
       } else {
+        if (LOG.isDebugEnabled()) {
+          LOG.debug("unexpected ACL id '" + id + "'");
+        }
         return false;
       }
     }
@@ -315,8 +355,16 @@ public class ZooKeeperWatcher implements Watcher, Abortable, Closeable
{
       // TODO: Validate super group members also when ZK supports setting node ACL for groups.
       if (!user.startsWith(AuthUtil.GROUP_PREFIX)) {
         for (ACL acl : acls) {
-          if (user.equals(acl.getId().getId()) && acl.getPerms() == Perms.ALL) {
-            hasAccess = true;
+          if (user.equals(acl.getId().getId())) {
+            if (acl.getPerms() == Perms.ALL) {
+              hasAccess = true;
+            } else {
+              if (LOG.isDebugEnabled()) {
+                LOG.debug(String.format(
+                  "superuser '%s' does not have correct permissions: have %0x, want %0x",
+                  acl.getId().getId(), acl.getPerms(), Perms.ALL));
+              }
+            }
             break;
           }
         }


Mime
View raw message